agenshield 0.1.0

package/src/utils/daemon.js

@@ -0,0 +1,377 @@
+/**
+ * Daemon management utilities
+ *
+ * Provides functions for starting, stopping, and monitoring the AgenShield daemon.
+ */
+import { spawn, execSync } from 'node:child_process';
+import * as fs from 'node:fs';
+import * as os from 'node:os';
+import * as path from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { isSecretEnvVar } from '@agenshield/sandbox';
+import { captureCallingUserEnv } from './sudo-env.js';
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+/**
+ * Daemon configuration
+ */
+export const DAEMON_CONFIG = {
+    PID_FILE: '/var/run/agenshield/agenshield.pid',
+    PORT: 5200,
+    HOST: '127.0.0.1', // Use IPv4 for actual connections (avoids IPv6 issues)
+    DISPLAY_HOST: 'localhost', // Use localhost for user-facing URLs
+    LOG_DIR: '/var/log/agenshield',
+    SOCKET_DIR: '/var/run/agenshield',
+};
+/**
+ * Get the current daemon status
+ */
+export async function getDaemonStatus() {
+    // Check via HTTP health endpoint first
+    try {
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), 2000);
+        const response = await fetch(`http://${DAEMON_CONFIG.HOST}:${DAEMON_CONFIG.PORT}/api/health`, {
+            signal: controller.signal,
+        });
+        clearTimeout(timeout);
+        if (response.ok) {
+            const data = (await response.json());
+            const pid = findDaemonPid() || findDaemonPidByPort(DAEMON_CONFIG.PORT);
+            return {
+                running: true,
+                pid: pid ?? undefined,
+                port: DAEMON_CONFIG.PORT,
+                uptime: data.uptime,
+                url: `http://${DAEMON_CONFIG.HOST}:${DAEMON_CONFIG.PORT}`,
+            };
+        }
+    }
+    catch {
+        // Daemon not responding via HTTP
+    }
+    // Check PID files (home dir + legacy location)
+    const pid = findDaemonPid();
+    if (pid) {
+        return { running: true, pid };
+    }
+    return { running: false };
+}
+/**
+ * Find the daemon executable path
+ */
+export function findDaemonExecutable() {
+    const searchPaths = [
+        // Relative to CLI dist
+        path.join(__dirname, '../../../shield-daemon/dist/main.js'),
+        // Installed location
+        '/opt/agenshield/bin/agenshield-daemon',
+        // Development location from project root
+        path.join(process.cwd(), 'libs/shield-daemon/dist/main.js'),
+    ];
+    for (const p of searchPaths) {
+        if (fs.existsSync(p)) {
+            return p;
+        }
+    }
+    return null;
+}
+/**
+ * Find the daemon TypeScript source (for tsx fallback in dev)
+ */
+export function findDaemonSource() {
+    const searchPaths = [
+        path.join(__dirname, '../../../shield-daemon/src/main.ts'),
+        path.join(process.cwd(), 'libs/shield-daemon/src/main.ts'),
+    ];
+    return searchPaths.find(p => fs.existsSync(p)) || null;
+}
+/**
+ * Find tsx binary for running TypeScript directly
+ */
+function findTsx() {
+    const searchPaths = [
+        path.join(process.cwd(), 'node_modules/.bin/tsx'),
+    ];
+    return searchPaths.find(p => fs.existsSync(p)) || null;
+}
+/**
+ * Find daemon PID from known PID file locations
+ */
+function findDaemonPid() {
+    const homePidPath = path.join(os.homedir(), '.agenshield', 'daemon.pid');
+    const legacyPidPath = DAEMON_CONFIG.PID_FILE;
+    const pidPaths = [homePidPath, legacyPidPath];
+    // When running as root via sudo, the daemon runs as SUDO_USER and writes
+    // its PID to ~sudouser/.agenshield/daemon.pid (not /var/root/).
+    const sudoUser = process.env['SUDO_USER'];
+    if (sudoUser) {
+        try {
+            const userHome = execSync(`eval echo ~${sudoUser}`, {
+                encoding: 'utf-8',
+                stdio: ['pipe', 'pipe', 'pipe'],
+                timeout: 3000,
+            }).trim();
+            pidPaths.splice(1, 0, path.join(userHome, '.agenshield', 'daemon.pid'));
+        }
+        catch { /* ignore */ }
+    }
+    for (const pidPath of pidPaths) {
+        try {
+            if (fs.existsSync(pidPath)) {
+                const pid = parseInt(fs.readFileSync(pidPath, 'utf8').trim(), 10);
+                if (!isNaN(pid)) {
+                    process.kill(pid, 0); // throws if not running
+                    return pid;
+                }
+            }
+        }
+        catch { /* stale or inaccessible */ }
+    }
+    return null;
+}
+/**
+ * Find daemon PID by checking which process is listening on the daemon port
+ */
+function findDaemonPidByPort(port) {
+    try {
+        const output = execSync(`lsof -ti :${port}`, {
+            encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'], timeout: 3000,
+        }).trim();
+        if (output) {
+            const pid = parseInt(output.split('\n')[0], 10);
+            if (!isNaN(pid))
+                return pid;
+        }
+    }
+    catch { /* lsof failed */ }
+    return null;
+}
+/**
+ * Start the daemon
+ */
+export async function startDaemon(options = {}) {
+    // Check if already running
+    const status = await getDaemonStatus();
+    if (status.running) {
+        return {
+            success: true,
+            message: 'Daemon is already running',
+            pid: status.pid,
+        };
+    }
+    // Find daemon executable
+    let daemonPath = findDaemonExecutable();
+    let runner = 'node';
+    if (!daemonPath) {
+        // Fallback: run from TypeScript source via tsx
+        const source = findDaemonSource();
+        const tsx = findTsx();
+        if (source && tsx) {
+            daemonPath = source;
+            runner = tsx;
+        }
+        else {
+            return {
+                success: false,
+                message: 'Daemon executable not found. Build first: npx nx build shield-daemon',
+            };
+        }
+    }
+    const env = {
+        ...process.env,
+        AGENSHIELD_PORT: String(DAEMON_CONFIG.PORT),
+        AGENSHIELD_HOST: DAEMON_CONFIG.HOST,
+    };
+    const isUnderSudo = !!process.env['SUDO_USER'];
+    if (isUnderSudo) {
+        // Legacy path: running via "sudo agenshield daemon start"
+        const userEnv = captureCallingUserEnv();
+        if (userEnv) {
+            const secretNames = Object.keys(userEnv).filter(k => userEnv[k] && isSecretEnvVar(k));
+            if (secretNames.length > 0) {
+                env['AGENSHIELD_USER_SECRETS'] = secretNames.join(',');
+            }
+            if (userEnv['PATH']) {
+                env['PATH'] = userEnv['PATH'];
+            }
+        }
+    }
+    else {
+        // User-mode: process.env already has correct PATH and secrets
+        const secretNames = Object.keys(process.env).filter(k => process.env[k] && isSecretEnvVar(k));
+        if (secretNames.length > 0) {
+            env['AGENSHIELD_USER_SECRETS'] = secretNames.join(',');
+        }
+    }
+    // Ensure system dirs exist and are writable (daemon runs as root)
+    for (const dir of [DAEMON_CONFIG.LOG_DIR, DAEMON_CONFIG.SOCKET_DIR]) {
+        try {
+            fs.mkdirSync(dir, { recursive: true });
+        }
+        catch {
+            // May already exist
+        }
+    }
+    // Ensure user config dir
+    const configDir = path.join(os.homedir(), '.agenshield');
+    fs.mkdirSync(configDir, { recursive: true });
+    if (options.foreground) {
+        // Run in foreground (blocking)
+        const spawnOpts = {
+            stdio: 'inherit',
+            env,
+        };
+        const child = spawn(runner, [daemonPath], spawnOpts);
+        return new Promise((resolve) => {
+            child.on('exit', (code) => {
+                resolve({
+                    success: code === 0,
+                    message: code === 0 ? 'Daemon exited' : `Daemon exited with code ${code}`,
+                });
+            });
+        });
+    }
+    // Run in background
+    try {
+        // Try launchctl first (macOS preferred)
+        try {
+            execSync('launchctl list com.agenshield.daemon 2>/dev/null', { stdio: 'pipe' });
+            execSync('launchctl start com.agenshield.daemon');
+            return {
+                success: true,
+                message: 'Daemon started via launchd',
+            };
+        }
+        catch {
+            // Not using launchd, fall back to nohup
+        }
+        let logDir = env['AGENSHIELD_LOG_DIR'] || DAEMON_CONFIG.LOG_DIR;
+        let logFile = path.join(logDir, 'daemon.log');
+        let logFd;
+        try {
+            logFd = fs.openSync(logFile, 'a');
+        }
+        catch {
+            // File open failed — fall back to user-local log
+            logDir = path.join(os.homedir(), '.agenshield', 'logs');
+            fs.mkdirSync(logDir, { recursive: true });
+            logFile = path.join(logDir, 'daemon.log');
+            logFd = fs.openSync(logFile, 'a');
+        }
+        const bgSpawnOpts = {
+            detached: true,
+            stdio: ['ignore', logFd, logFd],
+            env,
+        };
+        const child = spawn(runner, [daemonPath], bgSpawnOpts);
+        child.unref();
+        // Write PID file
+        try {
+            fs.writeFileSync(DAEMON_CONFIG.PID_FILE, String(child.pid));
+        }
+        catch {
+            // May require sudo
+        }
+        // Wait a moment and verify
+        await new Promise((resolve) => setTimeout(resolve, 1000));
+        const newStatus = await getDaemonStatus();
+        if (newStatus.running) {
+            return {
+                success: true,
+                message: 'Daemon started',
+                pid: child.pid,
+            };
+        }
+        else {
+            return {
+                success: false,
+                message: `Daemon failed to start. Check logs at ${logFile}`,
+            };
+        }
+    }
+    catch (err) {
+        return {
+            success: false,
+            message: `Failed to start daemon: ${err.message}`,
+        };
+    }
+}
+/**
+ * Stop the daemon
+ */
+export async function stopDaemon() {
+    const status = await getDaemonStatus();
+    if (!status.running) {
+        return {
+            success: true,
+            message: 'Daemon is not running',
+        };
+    }
+    // Try launchctl first
+    try {
+        execSync('launchctl list com.agenshield.daemon 2>/dev/null', { stdio: 'pipe' });
+        execSync('launchctl stop com.agenshield.daemon');
+        return {
+            success: true,
+            message: 'Daemon stopped via launchd',
+        };
+    }
+    catch {
+        // Not using launchd
+    }
+    // Try killing by PID
+    if (status.pid) {
+        try {
+            process.kill(status.pid, 'SIGTERM');
+            // Wait for process to exit
+            await new Promise((resolve) => setTimeout(resolve, 1000));
+            // Clean up PID file
+            try {
+                fs.unlinkSync(DAEMON_CONFIG.PID_FILE);
+            }
+            catch {
+                // Ignore
+            }
+            return {
+                success: true,
+                message: `Daemon stopped (PID ${status.pid})`,
+            };
+        }
+        catch (err) {
+            return {
+                success: false,
+                message: `Failed to stop daemon: ${err.message}`,
+            };
+        }
+    }
+    // Fallback: find PID by port
+    const portPid = findDaemonPidByPort(DAEMON_CONFIG.PORT);
+    if (portPid) {
+        try {
+            process.kill(portPid, 'SIGTERM');
+            await new Promise(r => setTimeout(r, 1000));
+            return { success: true, message: `Daemon stopped (PID ${portPid}, via port lookup)` };
+        }
+        catch (err) {
+            return { success: false, message: `Failed to stop daemon: ${err.message}` };
+        }
+    }
+    return {
+        success: false,
+        message: 'Could not determine daemon PID. Try: pkill -f agenshield-daemon',
+    };
+}
+/**
+ * Restart the daemon
+ */
+export async function restartDaemon() {
+    const stopResult = await stopDaemon();
+    if (!stopResult.success && stopResult.message !== 'Daemon is not running') {
+        return stopResult;
+    }
+    await new Promise((resolve) => setTimeout(resolve, 500));
+    const startResult = await startDaemon({ foreground: false });
+    return startResult;
+}
+//# sourceMappingURL=daemon.js.map

package/src/utils/daemon.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"daemon.js","sourceRoot":"","sources":["../../../src/utils/daemon.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAErD,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAEtD,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAClD,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;AAE3C;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,QAAQ,EAAE,oCAAoC;IAC9C,IAAI,EAAE,IAAI;IACV,IAAI,EAAE,WAAW,EAAE,uDAAuD;IAC1E,YAAY,EAAE,WAAW,EAAE,qCAAqC;IAChE,OAAO,EAAE,qBAAqB;IAC9B,UAAU,EAAE,qBAAqB;CAClC,CAAC;AAaF;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,uCAAuC;IACvC,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,CAAC;QAE3D,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,UAAU,aAAa,CAAC,IAAI,IAAI,aAAa,CAAC,IAAI,aAAa,EAAE;YAC5F,MAAM,EAAE,UAAU,CAAC,MAAM;SAC1B,CAAC,CAAC;QACH,YAAY,CAAC,OAAO,CAAC,CAAC;QAEtB,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;YAChB,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAwB,CAAC;YAC5D,MAAM,GAAG,GAAG,aAAa,EAAE,IAAI,mBAAmB,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;YACvE,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,GAAG,EAAE,GAAG,IAAI,SAAS;gBACrB,IAAI,EAAE,aAAa,CAAC,IAAI;gBACxB,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,GAAG,EAAE,UAAU,aAAa,CAAC,IAAI,IAAI,aAAa,CAAC,IAAI,EAAE;aAC1D,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,iCAAiC;IACnC,CAAC;IAED,+CAA+C;IAC/C,MAAM,GAAG,GAAG,aAAa,EAAE,CAAC;IAC5B,IAAI,GAAG,EAAE,CAAC;QACR,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC;IAChC,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAC5B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB;IAClC,MAAM,WAAW,GAAG;QAClB,uBAAuB;QACvB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,qCAAqC,CAAC;QAC3D,qBAAqB;QACrB,uCAAuC;QACvC,yCAAyC;QACzC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,iCAAiC,CAAC;KAC5D,CAAC;IAEF,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;QAC5B,IAAI,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;YACrB,OAAO,CAAC,CAAC;QACX,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB;IAC9B,MAAM,WAAW,GAAG;QAClB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,oCAAoC,CAAC;QAC1D,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,gCAAgC,CAAC;KAC3D,CAAC;IACF,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;AACzD,CAAC;AAED;;GAEG;AACH,SAAS,OAAO;IACd,MAAM,WAAW,GAAG;QAClB,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,uBAAuB,CAAC;KAClD,CAAC;IACF,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;AACzD,CAAC;AAED;;GAEG;AACH,SAAS,aAAa;IACpB,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,aAAa,EAAE,YAAY,CAAC,CAAC;IACzE,MAAM,aAAa,GAAG,aAAa,CAAC,QAAQ,CAAC;IAC7C,MAAM,QAAQ,GAAG,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;IAE9C,yEAAyE;IACzE,gEAAgE;IAChE,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC1C,IAAI,QAAQ,EAAE,CAAC;QACb,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,QAAQ,CAAC,cAAc,QAAQ,EAAE,EAAE;gBAClD,QAAQ,EAAE,OAAO;gBACjB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;gBAC/B,OAAO,EAAE,IAAI;aACd,CAAC,CAAC,IAAI,EAAE,CAAC;YACV,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,aAAa,EAAE,YAAY,CAAC,CAAC,CAAC;QAC1E,CAAC;QAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;IAC1B,CAAC;IAED,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,CAAC;YACH,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC3B,MAAM,GAAG,GAAG,QAAQ,CAAC,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;gBAClE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;oBAChB,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,wBAAwB;oBAC9C,OAAO,GAAG,CAAC;gBACb,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC,CAAC,2BAA2B,CAAC,CAAC;IACzC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,IAAY;IACvC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,QAAQ,CAAC,aAAa,IAAI,EAAE,EAAE;YAC3C,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,EAAE,IAAI;SAClE,CAAC,CAAC,IAAI,EAAE,CAAC;QACV,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,GAAG,GAAG,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAChD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC;gBAAE,OAAO,GAAG,CAAC;QAC9B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAC,iBAAiB,CAAC,CAAC;IAC7B,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,UAAoC,EAAE;IAKtE,2BAA2B;IAC3B,MAAM,MAAM,GAAG,MAAM,eAAe,EAAE,CAAC;IACvC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,OAAO;YACL,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,2BAA2B;YACpC,GAAG,EAAE,MAAM,CAAC,GAAG;SAChB,CAAC;IACJ,CAAC;IAED,yBAAyB;IACzB,IAAI,UAAU,GAAG,oBAAoB,EAAE,CAAC;IACxC,IAAI,MAAM,GAAG,MAAM,CAAC;IAEpB,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,+CAA+C;QAC/C,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;QAClC,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;QACtB,IAAI,MAAM,IAAI,GAAG,EAAE,CAAC;YAClB,UAAU,GAAG,MAAM,CAAC;YACpB,MAAM,GAAG,GAAG,CAAC;QACf,CAAC;aAAM,CAAC;YACN,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,sEAAsE;aAChF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,GAAG,GAAuC;QAC9C,GAAG,OAAO,CAAC,GAAG;QACd,eAAe,EAAE,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC;QAC3C,eAAe,EAAE,aAAa,CAAC,IAAI;KACpC,CAAC;IAEF,MAAM,WAAW,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAE/C,IAAI,WAAW,EAAE,CAAC;QAChB,0DAA0D;QAC1D,MAAM,OAAO,GAAG,qBAAqB,EAAE,CAAC;QACxC,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC;YACtF,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC3B,GAAG,CAAC,yBAAyB,CAAC,GAAG,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACzD,CAAC;YACD,IAAI,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;gBACpB,GAAG,CAAC,MAAM,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;YAChC,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,8DAA8D;QAC9D,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,CACjD,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,cAAc,CAAC,CAAC,CAAC,CACzC,CAAC;QACF,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3B,GAAG,CAAC,yBAAyB,CAAC,GAAG,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAED,kEAAkE;IAClE,KAAK,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,aAAa,CAAC,UAAU,CAAC,EAAE,CAAC;QACpE,IAAI,CAAC;YACH,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACzC,CAAC;QAAC,MAAM,CAAC;YACP,oBAAoB;QACtB,CAAC;IACH,CAAC;IAED,yBAAyB;IACzB,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,aAAa,CAAC,CAAC;IACzD,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE7C,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACvB,+BAA+B;QAC/B,MAAM,SAAS,GAAiB;YAC9B,KAAK,EAAE,SAAS;YAChB,GAAG;SACJ,CAAC;QACF,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,UAAU,CAAC,EAAE,SAAS,CAAC,CAAC;QAErD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAC7B,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;gBACxB,OAAO,CAAC;oBACN,OAAO,EAAE,IAAI,KAAK,CAAC;oBACnB,OAAO,EAAE,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,2BAA2B,IAAI,EAAE;iBAC1E,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED,oBAAoB;IACpB,IAAI,CAAC;QACH,wCAAwC;QACxC,IAAI,CAAC;YACH,QAAQ,CAAC,kDAAkD,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;YAChF,QAAQ,CAAC,uCAAuC,CAAC,CAAC;YAClD,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,4BAA4B;aACtC,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,wCAAwC;QAC1C,CAAC;QAED,IAAI,MAAM,GAAG,GAAG,CAAC,oBAAoB,CAAC,IAAI,aAAa,CAAC,OAAO,CAAC;QAChE,IAAI,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;QAC9C,IAAI,KAAa,CAAC;QAClB,IAAI,CAAC;YACH,KAAK,GAAG,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACpC,CAAC;QAAC,MAAM,CAAC;YACP,iDAAiD;YACjD,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,aAAa,EAAE,MAAM,CAAC,CAAC;YACxD,EAAE,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC1C,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;YAC1C,KAAK,GAAG,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACpC,CAAC;QAED,MAAM,WAAW,GAAiB;YAChC,QAAQ,EAAE,IAAI;YACd,KAAK,EAAE,CAAC,QAAQ,EAAE,KAAK,EAAE,KAAK,CAAC;YAC/B,GAAG;SACJ,CAAC;QACF,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,UAAU,CAAC,EAAE,WAAW,CAAC,CAAC;QAEvD,KAAK,CAAC,KAAK,EAAE,CAAC;QAEd,iBAAiB;QACjB,IAAI,CAAC;YACH,EAAE,CAAC,aAAa,CAAC,aAAa,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;QAC9D,CAAC;QAAC,MAAM,CAAC;YACP,mBAAmB;QACrB,CAAC;QAED,2BAA2B;QAC3B,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC;QAC1D,MAAM,SAAS,GAAG,MAAM,eAAe,EAAE,CAAC;QAE1C,IAAI,SAAS,CAAC,OAAO,EAAE,CAAC;YACtB,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,gBAAgB;gBACzB,GAAG,EAAE,KAAK,CAAC,GAAG;aACf,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,yCAAyC,OAAO,EAAE;aAC5D,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,2BAA4B,GAAa,CAAC,OAAO,EAAE;SAC7D,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU;IAI9B,MAAM,MAAM,GAAG,MAAM,eAAe,EAAE,CAAC;IAEvC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,OAAO;YACL,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,uBAAuB;SACjC,CAAC;IACJ,CAAC;IAED,sBAAsB;IACtB,IAAI,CAAC;QACH,QAAQ,CAAC,kDAAkD,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QAChF,QAAQ,CAAC,sCAAsC,CAAC,CAAC;QACjD,OAAO;YACL,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,4BAA4B;SACtC,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,oBAAoB;IACtB,CAAC;IAED,qBAAqB;IACrB,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;QACf,IAAI,CAAC;YACH,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;YAEpC,2BAA2B;YAC3B,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC;YAE1D,oBAAoB;YACpB,IAAI,CAAC;gBACH,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;YACxC,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YAED,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,uBAAuB,MAAM,CAAC,GAAG,GAAG;aAC9C,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,0BAA2B,GAAa,CAAC,OAAO,EAAE;aAC5D,CAAC;QACJ,CAAC;IACH,CAAC;IAED,6BAA6B;IAC7B,MAAM,OAAO,GAAG,mBAAmB,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;IACxD,IAAI,OAAO,EAAE,CAAC;QACZ,IAAI,CAAC;YACH,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;YACjC,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;YAC5C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,uBAAuB,OAAO,oBAAoB,EAAE,CAAC;QACxF,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,0BAA2B,GAAa,CAAC,OAAO,EAAE,EAAE,CAAC;QACzF,CAAC;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE,KAAK;QACd,OAAO,EAAE,iEAAiE;KAC3E,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa;IAIjC,MAAM,UAAU,GAAG,MAAM,UAAU,EAAE,CAAC;IACtC,IAAI,CAAC,UAAU,CAAC,OAAO,IAAI,UAAU,CAAC,OAAO,KAAK,uBAAuB,EAAE,CAAC;QAC1E,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC;IAEzD,MAAM,WAAW,GAAG,MAAM,WAAW,CAAC,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC,CAAC;IAC7D,OAAO,WAAW,CAAC;AACrB,CAAC","sourcesContent":["/**\n * Daemon management utilities\n *\n * Provides functions for starting, stopping, and monitoring the AgenShield daemon.\n */\n\nimport { spawn, execSync } from 'node:child_process';\nimport type { SpawnOptions } from 'node:child_process';\nimport * as fs from 'node:fs';\nimport * as os from 'node:os';\nimport * as path from 'node:path';\nimport { fileURLToPath } from 'node:url';\nimport { isSecretEnvVar } from '@agenshield/sandbox';\nimport { captureCallingUserEnv } from './sudo-env.js';\n\nconst __filename = fileURLToPath(import.meta.url);\nconst __dirname = path.dirname(__filename);\n\n/**\n * Daemon configuration\n */\nexport const DAEMON_CONFIG = {\n  PID_FILE: '/var/run/agenshield/agenshield.pid',\n  PORT: 5200,\n  HOST: '127.0.0.1', // Use IPv4 for actual connections (avoids IPv6 issues)\n  DISPLAY_HOST: 'localhost', // Use localhost for user-facing URLs\n  LOG_DIR: '/var/log/agenshield',\n  SOCKET_DIR: '/var/run/agenshield',\n};\n\n/**\n * Status of the daemon\n */\nexport interface DaemonStatus {\n  running: boolean;\n  pid?: number;\n  port?: number;\n  uptime?: string;\n  url?: string;\n}\n\n/**\n * Get the current daemon status\n */\nexport async function getDaemonStatus(): Promise<DaemonStatus> {\n  // Check via HTTP health endpoint first\n  try {\n    const controller = new AbortController();\n    const timeout = setTimeout(() => controller.abort(), 2000);\n\n    const response = await fetch(`http://${DAEMON_CONFIG.HOST}:${DAEMON_CONFIG.PORT}/api/health`, {\n      signal: controller.signal,\n    });\n    clearTimeout(timeout);\n\n    if (response.ok) {\n      const data = (await response.json()) as { uptime?: string };\n      const pid = findDaemonPid() || findDaemonPidByPort(DAEMON_CONFIG.PORT);\n      return {\n        running: true,\n        pid: pid ?? undefined,\n        port: DAEMON_CONFIG.PORT,\n        uptime: data.uptime,\n        url: `http://${DAEMON_CONFIG.HOST}:${DAEMON_CONFIG.PORT}`,\n      };\n    }\n  } catch {\n    // Daemon not responding via HTTP\n  }\n\n  // Check PID files (home dir + legacy location)\n  const pid = findDaemonPid();\n  if (pid) {\n    return { running: true, pid };\n  }\n\n  return { running: false };\n}\n\n/**\n * Find the daemon executable path\n */\nexport function findDaemonExecutable(): string | null {\n  const searchPaths = [\n    // Relative to CLI dist\n    path.join(__dirname, '../../../shield-daemon/dist/main.js'),\n    // Installed location\n    '/opt/agenshield/bin/agenshield-daemon',\n    // Development location from project root\n    path.join(process.cwd(), 'libs/shield-daemon/dist/main.js'),\n  ];\n\n  for (const p of searchPaths) {\n    if (fs.existsSync(p)) {\n      return p;\n    }\n  }\n\n  return null;\n}\n\n/**\n * Find the daemon TypeScript source (for tsx fallback in dev)\n */\nexport function findDaemonSource(): string | null {\n  const searchPaths = [\n    path.join(__dirname, '../../../shield-daemon/src/main.ts'),\n    path.join(process.cwd(), 'libs/shield-daemon/src/main.ts'),\n  ];\n  return searchPaths.find(p => fs.existsSync(p)) || null;\n}\n\n/**\n * Find tsx binary for running TypeScript directly\n */\nfunction findTsx(): string | null {\n  const searchPaths = [\n    path.join(process.cwd(), 'node_modules/.bin/tsx'),\n  ];\n  return searchPaths.find(p => fs.existsSync(p)) || null;\n}\n\n/**\n * Find daemon PID from known PID file locations\n */\nfunction findDaemonPid(): number | null {\n  const homePidPath = path.join(os.homedir(), '.agenshield', 'daemon.pid');\n  const legacyPidPath = DAEMON_CONFIG.PID_FILE;\n  const pidPaths = [homePidPath, legacyPidPath];\n\n  // When running as root via sudo, the daemon runs as SUDO_USER and writes\n  // its PID to ~sudouser/.agenshield/daemon.pid (not /var/root/).\n  const sudoUser = process.env['SUDO_USER'];\n  if (sudoUser) {\n    try {\n      const userHome = execSync(`eval echo ~${sudoUser}`, {\n        encoding: 'utf-8',\n        stdio: ['pipe', 'pipe', 'pipe'],\n        timeout: 3000,\n      }).trim();\n      pidPaths.splice(1, 0, path.join(userHome, '.agenshield', 'daemon.pid'));\n    } catch { /* ignore */ }\n  }\n\n  for (const pidPath of pidPaths) {\n    try {\n      if (fs.existsSync(pidPath)) {\n        const pid = parseInt(fs.readFileSync(pidPath, 'utf8').trim(), 10);\n        if (!isNaN(pid)) {\n          process.kill(pid, 0); // throws if not running\n          return pid;\n        }\n      }\n    } catch { /* stale or inaccessible */ }\n  }\n  return null;\n}\n\n/**\n * Find daemon PID by checking which process is listening on the daemon port\n */\nfunction findDaemonPidByPort(port: number): number | null {\n  try {\n    const output = execSync(`lsof -ti :${port}`, {\n      encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'], timeout: 3000,\n    }).trim();\n    if (output) {\n      const pid = parseInt(output.split('\\n')[0], 10);\n      if (!isNaN(pid)) return pid;\n    }\n  } catch { /* lsof failed */ }\n  return null;\n}\n\n/**\n * Start the daemon\n */\nexport async function startDaemon(options: { foreground?: boolean } = {}): Promise<{\n  success: boolean;\n  message: string;\n  pid?: number;\n}> {\n  // Check if already running\n  const status = await getDaemonStatus();\n  if (status.running) {\n    return {\n      success: true,\n      message: 'Daemon is already running',\n      pid: status.pid,\n    };\n  }\n\n  // Find daemon executable\n  let daemonPath = findDaemonExecutable();\n  let runner = 'node';\n\n  if (!daemonPath) {\n    // Fallback: run from TypeScript source via tsx\n    const source = findDaemonSource();\n    const tsx = findTsx();\n    if (source && tsx) {\n      daemonPath = source;\n      runner = tsx;\n    } else {\n      return {\n        success: false,\n        message: 'Daemon executable not found. Build first: npx nx build shield-daemon',\n      };\n    }\n  }\n\n  const env: Record<string, string | undefined> = {\n    ...process.env,\n    AGENSHIELD_PORT: String(DAEMON_CONFIG.PORT),\n    AGENSHIELD_HOST: DAEMON_CONFIG.HOST,\n  };\n\n  const isUnderSudo = !!process.env['SUDO_USER'];\n\n  if (isUnderSudo) {\n    // Legacy path: running via \"sudo agenshield daemon start\"\n    const userEnv = captureCallingUserEnv();\n    if (userEnv) {\n      const secretNames = Object.keys(userEnv).filter(k => userEnv[k] && isSecretEnvVar(k));\n      if (secretNames.length > 0) {\n        env['AGENSHIELD_USER_SECRETS'] = secretNames.join(',');\n      }\n      if (userEnv['PATH']) {\n        env['PATH'] = userEnv['PATH'];\n      }\n    }\n  } else {\n    // User-mode: process.env already has correct PATH and secrets\n    const secretNames = Object.keys(process.env).filter(\n      k => process.env[k] && isSecretEnvVar(k)\n    );\n    if (secretNames.length > 0) {\n      env['AGENSHIELD_USER_SECRETS'] = secretNames.join(',');\n    }\n  }\n\n  // Ensure system dirs exist and are writable (daemon runs as root)\n  for (const dir of [DAEMON_CONFIG.LOG_DIR, DAEMON_CONFIG.SOCKET_DIR]) {\n    try {\n      fs.mkdirSync(dir, { recursive: true });\n    } catch {\n      // May already exist\n    }\n  }\n\n  // Ensure user config dir\n  const configDir = path.join(os.homedir(), '.agenshield');\n  fs.mkdirSync(configDir, { recursive: true });\n\n  if (options.foreground) {\n    // Run in foreground (blocking)\n    const spawnOpts: SpawnOptions = {\n      stdio: 'inherit',\n      env,\n    };\n    const child = spawn(runner, [daemonPath], spawnOpts);\n\n    return new Promise((resolve) => {\n      child.on('exit', (code) => {\n        resolve({\n          success: code === 0,\n          message: code === 0 ? 'Daemon exited' : `Daemon exited with code ${code}`,\n        });\n      });\n    });\n  }\n\n  // Run in background\n  try {\n    // Try launchctl first (macOS preferred)\n    try {\n      execSync('launchctl list com.agenshield.daemon 2>/dev/null', { stdio: 'pipe' });\n      execSync('launchctl start com.agenshield.daemon');\n      return {\n        success: true,\n        message: 'Daemon started via launchd',\n      };\n    } catch {\n      // Not using launchd, fall back to nohup\n    }\n\n    let logDir = env['AGENSHIELD_LOG_DIR'] || DAEMON_CONFIG.LOG_DIR;\n    let logFile = path.join(logDir, 'daemon.log');\n    let logFd: number;\n    try {\n      logFd = fs.openSync(logFile, 'a');\n    } catch {\n      // File open failed — fall back to user-local log\n      logDir = path.join(os.homedir(), '.agenshield', 'logs');\n      fs.mkdirSync(logDir, { recursive: true });\n      logFile = path.join(logDir, 'daemon.log');\n      logFd = fs.openSync(logFile, 'a');\n    }\n\n    const bgSpawnOpts: SpawnOptions = {\n      detached: true,\n      stdio: ['ignore', logFd, logFd],\n      env,\n    };\n    const child = spawn(runner, [daemonPath], bgSpawnOpts);\n\n    child.unref();\n\n    // Write PID file\n    try {\n      fs.writeFileSync(DAEMON_CONFIG.PID_FILE, String(child.pid));\n    } catch {\n      // May require sudo\n    }\n\n    // Wait a moment and verify\n    await new Promise((resolve) => setTimeout(resolve, 1000));\n    const newStatus = await getDaemonStatus();\n\n    if (newStatus.running) {\n      return {\n        success: true,\n        message: 'Daemon started',\n        pid: child.pid,\n      };\n    } else {\n      return {\n        success: false,\n        message: `Daemon failed to start. Check logs at ${logFile}`,\n      };\n    }\n  } catch (err) {\n    return {\n      success: false,\n      message: `Failed to start daemon: ${(err as Error).message}`,\n    };\n  }\n}\n\n/**\n * Stop the daemon\n */\nexport async function stopDaemon(): Promise<{\n  success: boolean;\n  message: string;\n}> {\n  const status = await getDaemonStatus();\n\n  if (!status.running) {\n    return {\n      success: true,\n      message: 'Daemon is not running',\n    };\n  }\n\n  // Try launchctl first\n  try {\n    execSync('launchctl list com.agenshield.daemon 2>/dev/null', { stdio: 'pipe' });\n    execSync('launchctl stop com.agenshield.daemon');\n    return {\n      success: true,\n      message: 'Daemon stopped via launchd',\n    };\n  } catch {\n    // Not using launchd\n  }\n\n  // Try killing by PID\n  if (status.pid) {\n    try {\n      process.kill(status.pid, 'SIGTERM');\n\n      // Wait for process to exit\n      await new Promise((resolve) => setTimeout(resolve, 1000));\n\n      // Clean up PID file\n      try {\n        fs.unlinkSync(DAEMON_CONFIG.PID_FILE);\n      } catch {\n        // Ignore\n      }\n\n      return {\n        success: true,\n        message: `Daemon stopped (PID ${status.pid})`,\n      };\n    } catch (err) {\n      return {\n        success: false,\n        message: `Failed to stop daemon: ${(err as Error).message}`,\n      };\n    }\n  }\n\n  // Fallback: find PID by port\n  const portPid = findDaemonPidByPort(DAEMON_CONFIG.PORT);\n  if (portPid) {\n    try {\n      process.kill(portPid, 'SIGTERM');\n      await new Promise(r => setTimeout(r, 1000));\n      return { success: true, message: `Daemon stopped (PID ${portPid}, via port lookup)` };\n    } catch (err) {\n      return { success: false, message: `Failed to stop daemon: ${(err as Error).message}` };\n    }\n  }\n\n  return {\n    success: false,\n    message: 'Could not determine daemon PID. Try: pkill -f agenshield-daemon',\n  };\n}\n\n/**\n * Restart the daemon\n */\nexport async function restartDaemon(): Promise<{\n  success: boolean;\n  message: string;\n}> {\n  const stopResult = await stopDaemon();\n  if (!stopResult.success && stopResult.message !== 'Daemon is not running') {\n    return stopResult;\n  }\n\n  await new Promise((resolve) => setTimeout(resolve, 500));\n\n  const startResult = await startDaemon({ foreground: false });\n  return startResult;\n}\n"]}

package/src/utils/find-test-harness.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Locate the test harness binary path
+ */
+export declare function findTestHarness(): string | null;
+//# sourceMappingURL=find-test-harness.d.ts.map

package/src/utils/find-test-harness.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"find-test-harness.d.ts","sourceRoot":"","sources":["../../../src/utils/find-test-harness.ts"],"names":[],"mappings":"AAAA;;GAEG;AASH,wBAAgB,eAAe,IAAI,MAAM,GAAG,IAAI,CAe/C"}

package/src/utils/find-test-harness.js

@@ -0,0 +1,23 @@
+/**
+ * Locate the test harness binary path
+ */
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { fileURLToPath } from 'node:url';
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+export function findTestHarness() {
+    const searchPaths = [
+        // Development location from project root
+        path.join(process.cwd(), 'tools/test-harness/bin/dummy-openclaw.js'),
+        // Relative to CLI dist
+        path.join(__dirname, '../../../../tools/test-harness/bin/dummy-openclaw.js'),
+    ];
+    for (const p of searchPaths) {
+        if (fs.existsSync(p)) {
+            return path.resolve(p);
+        }
+    }
+    return null;
+}
+//# sourceMappingURL=find-test-harness.js.map

package/src/utils/find-test-harness.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"find-test-harness.js","sourceRoot":"","sources":["../../../src/utils/find-test-harness.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAClD,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;AAE3C,MAAM,UAAU,eAAe;IAC7B,MAAM,WAAW,GAAG;QAClB,yCAAyC;QACzC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,0CAA0C,CAAC;QACpE,uBAAuB;QACvB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,sDAAsD,CAAC;KAC7E,CAAC;IAEF,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;QAC5B,IAAI,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;YACrB,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC","sourcesContent":["/**\n * Locate the test harness binary path\n */\n\nimport * as fs from 'node:fs';\nimport * as path from 'node:path';\nimport { fileURLToPath } from 'node:url';\n\nconst __filename = fileURLToPath(import.meta.url);\nconst __dirname = path.dirname(__filename);\n\nexport function findTestHarness(): string | null {\n  const searchPaths = [\n    // Development location from project root\n    path.join(process.cwd(), 'tools/test-harness/bin/dummy-openclaw.js'),\n    // Relative to CLI dist\n    path.join(__dirname, '../../../../tools/test-harness/bin/dummy-openclaw.js'),\n  ];\n\n  for (const p of searchPaths) {\n    if (fs.existsSync(p)) {\n      return path.resolve(p);\n    }\n  }\n\n  return null;\n}\n"]}

package/src/utils/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * CLI Utilities
+ */
+export * from './privileges.js';
+export * from './daemon.js';
+export * from './find-test-harness.js';
+export * from './sudo-env.js';
+//# sourceMappingURL=index.d.ts.map

package/src/utils/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/utils/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,cAAc,iBAAiB,CAAC;AAChC,cAAc,aAAa,CAAC;AAC5B,cAAc,wBAAwB,CAAC;AACvC,cAAc,eAAe,CAAC"}

package/src/utils/index.js

@@ -0,0 +1,8 @@
+/**
+ * CLI Utilities
+ */
+export * from './privileges.js';
+export * from './daemon.js';
+export * from './find-test-harness.js';
+export * from './sudo-env.js';
+//# sourceMappingURL=index.js.map

package/src/utils/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/utils/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,cAAc,iBAAiB,CAAC;AAChC,cAAc,aAAa,CAAC;AAC5B,cAAc,wBAAwB,CAAC;AACvC,cAAc,eAAe,CAAC","sourcesContent":["/**\n * CLI Utilities\n */\n\nexport * from './privileges.js';\nexport * from './daemon.js';\nexport * from './find-test-harness.js';\nexport * from './sudo-env.js';\n"]}

package/src/utils/privileges.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Privilege detection utilities
+ *
+ * Detects user privileges and provides utilities for privilege-related operations.
+ */
+/**
+ * Information about the current user's privileges
+ */
+export interface PrivilegeInfo {
+    /** Whether running as root (UID 0) */
+    isRoot: boolean;
+    /** Current user ID */
+    uid: number;
+    /** Current group ID */
+    gid: number;
+    /** Current username */
+    username: string;
+    /** Whether the user can use sudo */
+    canSudo: boolean;
+    /** Whether sudo can be used without a password */
+    sudoNoPassword: boolean;
+}
+/**
+ * Detect the current user's privileges
+ */
+export declare function detectPrivileges(): PrivilegeInfo;
+/**
+ * Ensure sudo credentials are cached so subsequent `sudo` child-process
+ * calls succeed without a TTY prompt.
+ * Call this once before a batch of privileged operations.
+ */
+export declare function ensureSudoAccess(): void;
+/**
+ * Start a keepalive interval that refreshes sudo credentials every 2 minutes
+ * so the 5-minute sudo cache doesn't expire during long-running setup phases.
+ */
+export declare function startSudoKeepalive(): NodeJS.Timeout;
+/**
+ * Check if a command requires root privileges
+ */
+export declare function requiresRoot(command: string): boolean;
+/**
+ * Print a warning about missing privileges
+ */
+export declare function printPrivilegeWarning(command: string, priv?: PrivilegeInfo): void;
+/**
+ * Ensure the command is running with root privileges
+ * Exits the process if not running as root
+ */
+export declare function ensureRoot(command: string): void;
+//# sourceMappingURL=privileges.d.ts.map

package/src/utils/privileges.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"privileges.d.ts","sourceRoot":"","sources":["../../../src/utils/privileges.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,sCAAsC;IACtC,MAAM,EAAE,OAAO,CAAC;IAChB,sBAAsB;IACtB,GAAG,EAAE,MAAM,CAAC;IACZ,uBAAuB;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,uBAAuB;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,oCAAoC;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,kDAAkD;IAClD,cAAc,EAAE,OAAO,CAAC;CACzB;AAED;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,aAAa,CAiChD;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,IAAI,IAAI,CAmBvC;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,CAAC,OAAO,CAInD;AAQD;;GAEG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAErD;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,aAAa,GAAG,IAAI,CAoBjF;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAMhD"}

package/src/utils/privileges.js

@@ -0,0 +1,125 @@
+/**
+ * Privilege detection utilities
+ *
+ * Detects user privileges and provides utilities for privilege-related operations.
+ */
+import { execSync } from 'node:child_process';
+import * as os from 'node:os';
+/**
+ * Detect the current user's privileges
+ */
+export function detectPrivileges() {
+    const uid = process.getuid?.() ?? -1;
+    const gid = process.getgid?.() ?? -1;
+    const username = os.userInfo().username;
+    const isRoot = uid === 0;
+    // Check if user can use sudo
+    let canSudo = false;
+    let sudoNoPassword = false;
+    if (!isRoot) {
+        try {
+            // Check if user is in admin/sudo group
+            const groups = execSync('groups', { encoding: 'utf8' });
+            canSudo = groups.includes('admin') || groups.includes('wheel') || groups.includes('sudo');
+            // Check if SUDO_ASKPASS is set
+            if (process.env['SUDO_ASKPASS']) {
+                sudoNoPassword = true;
+            }
+        }
+        catch {
+            // Ignore errors
+        }
+    }
+    return {
+        isRoot,
+        uid,
+        gid,
+        username,
+        canSudo,
+        sudoNoPassword,
+    };
+}
+/**
+ * Ensure sudo credentials are cached so subsequent `sudo` child-process
+ * calls succeed without a TTY prompt.
+ * Call this once before a batch of privileged operations.
+ */
+export function ensureSudoAccess() {
+    const priv = detectPrivileges();
+    if (priv.isRoot)
+        return; // Already root, no need
+    // Check if sudo credentials are already cached (non-interactive check)
+    try {
+        execSync('sudo -n true', { stdio: 'pipe', timeout: 5_000 });
+        return; // Credentials already cached, no prompt needed
+    }
+    catch {
+        // Credentials not cached — need to prompt
+    }
+    console.log('\nThis operation requires administrator privileges.\n');
+    try {
+        execSync('sudo -v', { stdio: 'inherit', timeout: 60_000 });
+    }
+    catch {
+        console.error('Failed to obtain sudo access.');
+        process.exit(1);
+    }
+}
+/**
+ * Start a keepalive interval that refreshes sudo credentials every 2 minutes
+ * so the 5-minute sudo cache doesn't expire during long-running setup phases.
+ */
+export function startSudoKeepalive() {
+    return setInterval(() => {
+        try {
+            execSync('sudo -v', { stdio: 'pipe', timeout: 2000 });
+        }
+        catch { /* ignore */ }
+    }, 120_000);
+}
+/**
+ * Commands that require root privileges
+ * (Empty — no command requires root upfront anymore; sudo is requested on demand)
+ */
+const ROOT_COMMANDS = [];
+/**
+ * Check if a command requires root privileges
+ */
+export function requiresRoot(command) {
+    return ROOT_COMMANDS.some((c) => command.startsWith(c));
+}
+/**
+ * Print a warning about missing privileges
+ */
+export function printPrivilegeWarning(command, priv) {
+    const p = priv ?? detectPrivileges();
+    console.log('\x1b[33m⚠ Warning: This command requires elevated privileges.\x1b[0m');
+    console.log('');
+    console.log('You are currently running as:');
+    console.log(`  User: ${p.username} (UID: ${p.uid})`);
+    console.log('');
+    if (p.canSudo) {
+        console.log('Run with sudo:');
+        console.log(`  \x1b[36msudo agenshield ${command}\x1b[0m`);
+    }
+    else {
+        console.log('You need administrator privileges. Either:');
+        console.log('  1. Run as root user');
+        console.log('  2. Add your user to the admin group');
+        console.log('');
+        console.log(`  \x1b[36msudo agenshield ${command}\x1b[0m`);
+    }
+    console.log('');
+}
+/**
+ * Ensure the command is running with root privileges
+ * Exits the process if not running as root
+ */
+export function ensureRoot(command) {
+    const priv = detectPrivileges();
+    if (!priv.isRoot) {
+        printPrivilegeWarning(command, priv);
+        process.exit(1);
+    }
+}
+//# sourceMappingURL=privileges.js.map