arafatkatze · April 7, 2026 09:37
diff --git a/inspect-runtime.sh b/inspect-runtime.sh
 #!/usr/bin/env bash

 set -u
 set -o pipefail

 export LC_ALL=C

 SCRIPT_NAME="$(basename "$0")"
 HOSTNAME_VALUE="$(hostname 2>/dev/null || uname -n 2>/dev/null || echo unknown-host)"
 TIMESTAMP_UTC="$(date -u +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null || echo unknown-time)"
 DEFAULT_OUTPUT="runtime-report-${HOSTNAME_VALUE}-$(date -u +"%Y%m%dT%H%M%SZ" 2>/dev/null || echo unknown).md"
 OUTPUT_PATH="-"
 INCLUDE_FULL_ENV=0
 INCLUDE_CLOUD_METADATA=1

 usage() {
  cat <<EOF
 Usage: ${SCRIPT_NAME} [--output PATH|-] [--full-env] [--no-cloud-metadata]

 Produces a markdown report describing the current machine/container/pod/runtime.

 Options:
  --output PATH         Write the report to PATH instead of stdout.
  --output -            Write to stdout (default).
  --full-env            Include a fully redacted environment dump.
  --no-cloud-metadata   Skip cloud metadata endpoint checks.
  -h, --help            Show this help.
 EOF
 }

 while [[ $# -gt 0 ]]; do
  case "$1" in
    --output)
      OUTPUT_PATH="${2:-}"
      shift 2
      ;;
    --full-env)
      INCLUDE_FULL_ENV=1
      shift
      ;;
    --no-cloud-metadata)
      INCLUDE_CLOUD_METADATA=0
      shift
      ;;
    -h|--help)
      usage
      exit 0
      ;;
    *)
      echo "Unknown argument: $1" >&2
      usage >&2
      exit 1
      ;;
  esac
 done

 if [[ -z "${OUTPUT_PATH}" ]]; then
  echo "--output requires a value" >&2
  exit 1
 fi

 have() {
  command -v "$1" >/dev/null 2>&1
 }

 is_linux() {
  [[ "$(uname -s 2>/dev/null || true)" == "Linux" ]]
 }

 trim() {
  awk '{$1=$1; print}'
 }

 redact_env_value() {
  local key="$1"
  local value="$2"
  if [[ "${key}" =~ (TOKEN|SECRET|PASS|PASSWORD|KEY|COOKIE|SESSION|AUTH|CREDENTIAL|PRIVATE|ACCESS|REFRESH|BEARER) ]]; then
    printf '<redacted>'
  else
    printf '%s' "${value}"
  fi
 }

 redact_inline_secrets() {
  sed -E \
    -e 's#(https?://)[^/@[:space:]]+@#\1***@#g' \
    -e 's#([?&](token|access_token|auth|key|apikey|api_key|password|passwd|secret)=)[^&[:space:]]+#\1<redacted>#Ig' \
    -e 's#(Authorization: Bearer )[[:graph:]]+#\1<redacted>#Ig'
 }

 capture_cmd() {
  local cmd="$1"
  local out
  out="$(bash -lc "${cmd}" 2>&1)" || true
  printf '%s\n' "${out}"
 }

 print_section() {
  printf '\n## %s\n\n' "$1"
 }

 print_subsection() {
  printf '### %s\n\n' "$1"
 }

 print_code_block() {
  local body="$1"
  printf '```text\n%s\n```\n\n' "${body}"
 }

 print_shell_block() {
  local cmd="$1"
  local body="$2"
  printf '```bash\n$ %s\n%s\n```\n\n' "${cmd}" "${body}"
 }

 first_line() {
  sed -n '1p'
 }

 detect_virtualization() {
  if have systemd-detect-virt; then
    systemd-detect-virt 2>/dev/null || true
  fi
 }

 read_file() {
  local path="$1"
  if [[ -r "${path}" ]]; then
    cat "${path}"
  fi
 }

 safe_head() {
  local path="$1"
  local lines="${2:-40}"
  if [[ -r "${path}" ]]; then
    sed -n "1,${lines}p" "${path}"
  fi
 }

 os_pretty_name() {
  if [[ -r /etc/os-release ]]; then
    grep '^PRETTY_NAME=' /etc/os-release | cut -d= -f2- | tr -d '"'
    return
  fi

  if have sw_vers; then
    sw_vers -productName 2>/dev/null
    local version
    version="$(sw_vers -productVersion 2>/dev/null || true)"
    [[ -n "${version}" ]] && printf ' %s' "${version}"
    printf '\n'
    return
  fi

  printf 'unknown\n'
 }

 uptime_summary() {
  if have uptime; then
    if uptime -p >/dev/null 2>&1; then
      uptime -p 2>/dev/null
    else
      uptime 2>/dev/null
    fi
  fi
 }

 logical_cpus() {
  if have nproc; then
    nproc
    return
  fi

  if have sysctl; then
    sysctl -n hw.logicalcpu 2>/dev/null || sysctl -n hw.ncpu 2>/dev/null || true
  fi
 }

 filesystem_usage_summary() {
  local path="$1"
  local line
  line="$(df -hP "${path}" 2>/dev/null | tail -n 1)"
  if [[ -n "${line}" ]]; then
    awk '{print $3 " used / " $2 " total (" $5 "), avail " $4}' <<<"${line}"
  fi
 }

 find_mount_for_path() {
  local path="$1"
  if have findmnt; then
    findmnt -T "${path}" -o TARGET,SOURCE,FSTYPE,OPTIONS -n 2>/dev/null || true
  else
    df -hP "${path}" 2>/dev/null | tail -n +2 || true
  fi
 }

 path_exists() {
  [[ -e "$1" ]]
 }

 guess_path_persistence() {
  local path="$1"
  local info
  info="$(find_mount_for_path "${path}")"

  if [[ -z "${info}" ]]; then
    printf 'unknown'
    return
  fi

  if grep -qi 'kubernetes\.io~empty-dir' <<<"${info}"; then
    printf 'ephemeral emptyDir (survives container restart, not pod replacement)'
    return
  fi

  if grep -qiE 'kubernetes\.io~(secret|projected|configmap)' <<<"${info}"; then
    printf 'projected/config volume (not durable application storage)'
    return
  fi

  if grep -qiE 'kubernetes\.io~csi|pvc|persistentvolumeclaim' <<<"${info}"; then
    printf 'likely persistent volume'
    return
  fi

  if grep -qiE '/var/lib/docker/overlay2| overlay ' <<<"${info}"; then
    printf 'container writable layer / overlay (usually ephemeral)'
    return
  fi

  if grep -qiE '/var/lib/docker/volumes|/var/lib/kubelet|/dev/' <<<"${info}"; then
    printf 'host-backed mount or block-backed filesystem'
    return
  fi

  printf 'unknown'
 }

 detect_workload_type() {
  local kubernetes=0
  local docker=0
  local podman=0
  local containerenv=0
  local cgroup_text
  local mount_text
  local virt

  [[ -e /var/run/secrets/kubernetes.io/serviceaccount/token ]] && kubernetes=1
  env | grep -q '^KUBERNETES_SERVICE_HOST=' && kubernetes=1

  [[ -e /.dockerenv ]] && docker=1
  [[ -e /run/.containerenv ]] && containerenv=1

  cgroup_text="$(capture_cmd 'cat /proc/1/cgroup; echo; cat /proc/self/cgroup')"
  mount_text="$(capture_cmd 'cat /proc/1/mountinfo | head -80')"
  virt="$(detect_virtualization)"

  grep -qi 'kubepods' <<<"${cgroup_text}" && kubernetes=1
  grep -qi '/var/lib/kubelet' <<<"${mount_text}" && kubernetes=1
  grep -qi '/var/lib/docker/overlay2' <<<"${mount_text}" && docker=1
  [[ "${virt}" == "docker" ]] && docker=1
  [[ "${virt}" == "podman" ]] && podman=1

  if (( kubernetes )); then
    printf 'Kubernetes pod/container'
    return
  fi

  if (( docker )); then
    printf 'Docker container'
    return
  fi

  if (( podman || containerenv )); then
    printf 'Container (non-Docker or unknown runtime)'
    return
  fi

  if [[ -n "${virt}" && "${virt}" != "none" ]]; then
    printf 'VM or virtualized host (%s)' "${virt}"
    return
  fi

  printf 'VM or bare-metal host'
 }

 detect_host_virtualization() {
  local virt product vendor
  virt="$(detect_virtualization)"
  product="$(read_file /sys/devices/virtual/dmi/id/product_name | first_line)"
  vendor="$(read_file /sys/devices/virtual/dmi/id/sys_vendor | first_line)"

  if [[ -n "${virt}" && "${virt}" != "none" && "${virt}" != "docker" && "${virt}" != "podman" ]]; then
    printf '%s' "${virt}"
    return
  fi

  if [[ -n "${vendor}" || -n "${product}" ]]; then
    printf '%s %s' "${vendor}" "${product}" | trim
    return
  fi

  printf 'unknown'
 }

 detect_desktop_stack() {
  local ps_out
  ps_out="$(capture_cmd "ps -eo pid,ppid,comm,args | grep -Ei 'Xtigervnc|Xvfb|websockify|novnc|xfce4-session|xfwm4|xfdesktop|xfce4-panel|plank|thunar|gnome-shell|weston|xrdp' | grep -v grep")"
  if [[ -n "${ps_out}" ]]; then
    printf 'present'
  else
    printf 'not detected'
  fi
 }

 detect_ide_stack() {
  local ps_out
  ps_out="$(capture_cmd "ps -eo pid,ppid,comm,args | grep -Ei 'cursor-server|code-server|vscode-server|openvscode|cline|codex|agent|pod-daemon' | grep -v grep")"
  if [[ -n "${ps_out}" ]]; then
    printf 'present'
  else
    printf 'not detected'
  fi
 }

 selected_env_dump() {
  env | sort | while IFS='=' read -r key value; do
    case "${key}" in
      HOME|HOSTNAME|LANG|LC_*|LOGNAME|PATH|PWD|SHELL|SHLVL|TERM|TZ|USER|VIRTUAL_ENV|CONDA_PREFIX|KUBERNETES_*|POD_*|CONTAINER_*|DOCKER_*|AWS_*|GCP_*|GOOGLE_*|AZURE_*|CI|GIT_*|SSH_*|XDG_*|DISPLAY|WAYLAND_DISPLAY)
        printf '%s=%s\n' "${key}" "$(redact_env_value "${key}" "${value}")"
        ;;
    esac
  done
 }

 full_env_dump() {
  env | sort | while IFS='=' read -r key value; do
    printf '%s=%s\n' "${key}" "$(redact_env_value "${key}" "${value}")"
  done
 }

 tool_version_line() {
  local tool="$1"
  local cmd="$2"
  if have "${tool}"; then
    local out
    out="$(capture_cmd "${cmd}" | first_line | redact_inline_secrets)"
    printf -- '- `%s`: %s\n' "${tool}" "${out:-available}"
  else
    printf -- '- `%s`: not installed\n' "${tool}"
  fi
 }

 cloud_metadata_summary() {
  local gcp_name gcp_zone gcp_project aws_doc azure_doc

  if (( ! INCLUDE_CLOUD_METADATA )); then
    printf 'Cloud metadata checks skipped by flag.\n'
    return
  fi

  if have curl; then
    gcp_name="$(curl -fsS --max-time 1 -H 'Metadata-Flavor: Google' http://metadata.google.internal/computeMetadata/v1/instance/name 2>/dev/null || true)"
    gcp_zone="$(curl -fsS --max-time 1 -H 'Metadata-Flavor: Google' http://metadata.google.internal/computeMetadata/v1/instance/zone 2>/dev/null | awk -F/ '{print $NF}' || true)"
    gcp_project="$(curl -fsS --max-time 1 -H 'Metadata-Flavor: Google' http://metadata.google.internal/computeMetadata/v1/project/project-id 2>/dev/null || true)"
    aws_doc="$(curl -fsS --max-time 1 http://169.254.169.254/latest/dynamic/instance-identity/document 2>/dev/null || true)"
    azure_doc="$(curl -fsS --max-time 1 -H 'Metadata: true' 'http://169.254.169.254/metadata/instance/compute?api-version=2021-02-01&format=text' 2>/dev/null || true)"

    if [[ -n "${gcp_name}" || -n "${gcp_zone}" || -n "${gcp_project}" ]]; then
      printf -- '- GCP metadata detected\n'
      [[ -n "${gcp_project}" ]] && printf '  - project: `%s`\n' "${gcp_project}"
      [[ -n "${gcp_zone}" ]] && printf '  - zone: `%s`\n' "${gcp_zone}"
      [[ -n "${gcp_name}" ]] && printf '  - instance: `%s`\n' "${gcp_name}"
    fi

    if [[ -n "${aws_doc}" ]]; then
      printf -- '- AWS metadata endpoint responded\n'
      printf '  - snippet: `%s`\n' "$(printf '%s' "${aws_doc}" | tr '\n' ' ' | cut -c1-180)"
    fi

    if [[ -n "${azure_doc}" ]]; then
      printf -- '- Azure metadata endpoint responded\n'
      printf '  - snippet: `%s`\n' "$(printf '%s' "${azure_doc}" | tr '\n' ' ' | cut -c1-180)"
    fi

    if [[ -z "${gcp_name}${gcp_zone}${gcp_project}${aws_doc}${azure_doc}" ]]; then
      printf -- '- No common cloud metadata endpoint responded within 1s\n'
    fi
  else
    printf -- '- curl not installed; cloud metadata checks skipped\n'
  fi
 }

 emit_report() {
  local workload_type host_virtualization virtualization shell_name report_user report_pwd
  local workspace_guess root_guess cline_guess workspaces_guess home_guess
  local desktop_stack ide_stack

  workload_type="$(detect_workload_type)"
  host_virtualization="$(detect_host_virtualization)"
  virtualization="$(detect_virtualization)"
  shell_name="${SHELL:-unknown}"
  report_user="$(id -un 2>/dev/null || echo unknown)"
  report_pwd="$(pwd 2>/dev/null || echo unknown)"
  desktop_stack="$(detect_desktop_stack)"
  ide_stack="$(detect_ide_stack)"

  workspace_guess="$(path_exists /workspace && guess_path_persistence /workspace || echo 'path not present')"
  root_guess="$(guess_path_persistence /)"
  cline_guess="$(path_exists /root/.cline && guess_path_persistence /root/.cline || echo 'path not present')"
  workspaces_guess="$(path_exists /workspaces && guess_path_persistence /workspaces || echo 'path not present')"
  home_guess="$(guess_path_persistence /home)"

  printf '# Runtime Inspection Report\n\n'
  printf '_Generated by `%s` on `%s` at `%s` UTC._\n\n' "${SCRIPT_NAME}" "${HOSTNAME_VALUE}" "${TIMESTAMP_UTC}"
  printf '_Secrets in environment values are redacted._\n\n'

  print_section "Executive Summary"
  printf -- '- Likely workload type: `%s`\n' "${workload_type}"
  printf -- '- Virtualization signal: `%s`\n' "${virtualization:-unknown}"
  printf -- '- Underlying host virtualization hint: `%s`\n' "${host_virtualization}"
  printf -- '- Desktop/remote GUI components: `%s`\n' "${desktop_stack}"
  printf -- '- IDE/agent components: `%s`\n' "${ide_stack}"
  printf -- '- Persistence guess for `/`: `%s`\n' "${root_guess}"
  printf -- '- Persistence guess for `/workspace`: `%s`\n' "${workspace_guess}"
  printf -- '- Persistence guess for `/workspaces`: `%s`\n' "${workspaces_guess}"
  printf -- '- Persistence guess for `/root/.cline`: `%s`\n' "${cline_guess}"
  printf -- '- Persistence guess for `/home`: `%s`\n' "${home_guess}"

  print_section "Identity"
  printf -- '- User: `%s`\n' "${report_user}"
  printf -- '- Hostname: `%s`\n' "${HOSTNAME_VALUE}"
  printf -- '- Working directory: `%s`\n' "${report_pwd}"
  printf -- '- Shell: `%s`\n' "${shell_name}"
  printf -- '- Uptime: `%s`\n' "$(uptime_summary | first_line)"
  printf -- '- Kernel: `%s`\n' "$(capture_cmd 'uname -a' | first_line)"
  printf -- '- OS: `%s`\n' "$(os_pretty_name | first_line)"
  printf -- '- Architecture: `%s`\n' "$(capture_cmd 'uname -m' | first_line)"
  printf -- '- Primary IPs: `%s`\n' "$(capture_cmd "hostname -I 2>/dev/null || true" | tr '\n' ' ' | trim)"

  print_section "Runtime Heuristics"
  print_subsection "Key Signals"
  printf -- '- `/.dockerenv`: `%s`\n' "$( [[ -e /.dockerenv ]] && echo present || echo absent )"
  printf -- '- `/run/.containerenv`: `%s`\n' "$( [[ -e /run/.containerenv ]] && echo present || echo absent )"
  printf -- '- Kubernetes service account mount: `%s`\n' "$( [[ -e /var/run/secrets/kubernetes.io/serviceaccount/token ]] && echo present || echo absent )"
  printf -- '- `systemd-detect-virt`: `%s`\n' "${virtualization:-no output}"
  printf -- '- DMI product name: `%s`\n' "$(read_file /sys/devices/virtual/dmi/id/product_name | first_line)"
  printf -- '- DMI vendor: `%s`\n' "$(read_file /sys/devices/virtual/dmi/id/sys_vendor | first_line)"

  print_subsection "Relevant Environment"
  print_code_block "$(selected_env_dump)"

  print_subsection "cgroup"
  print_shell_block "cat /proc/1/cgroup && echo && cat /proc/self/cgroup" "$(capture_cmd 'cat /proc/1/cgroup && echo && cat /proc/self/cgroup')"

  print_subsection "Mount Root Snippet"
  print_shell_block "cat /proc/1/mountinfo | head -40" "$(capture_cmd 'cat /proc/1/mountinfo | head -40')"

  print_section "CPU And Memory"
  print_subsection "Quick Summary"
  printf -- '- Logical CPUs: `%s`\n' "$(logical_cpus | first_line)"
  printf -- '- CPU quota (`/sys/fs/cgroup/cpu.max`): `%s`\n' "$(read_file /sys/fs/cgroup/cpu.max | first_line)"
  printf -- '- Memory limit (`/sys/fs/cgroup/memory.max`): `%s`\n' "$(read_file /sys/fs/cgroup/memory.max | first_line)"
  printf -- '- Memory current (`/sys/fs/cgroup/memory.current`): `%s`\n' "$(read_file /sys/fs/cgroup/memory.current | first_line)"

  print_subsection "lscpu"
  if have lscpu; then
    print_shell_block "lscpu" "$(capture_cmd 'lscpu')"
  else
    print_code_block "lscpu not installed"
  fi

  print_subsection "free -h"
  if have free; then
    print_shell_block "free -h" "$(capture_cmd 'free -h')"
  else
    print_code_block "free not installed"
  fi

  print_section "Storage And Persistence"
  print_subsection "Filesystem Summary"
  if have df; then
    if is_linux; then
      print_shell_block "df -hT" "$(capture_cmd 'df -hT')"
    else
      print_shell_block "df -hP" "$(capture_cmd 'df -hP')"
    fi
  fi

  if have lsblk; then
    print_subsection "Block Devices"
    print_shell_block "lsblk -o NAME,SIZE,FSTYPE,TYPE,MOUNTPOINTS" "$(capture_cmd 'lsblk -o NAME,SIZE,FSTYPE,TYPE,MOUNTPOINTS')"
  fi

  print_subsection "Important Paths"
  printf '| Path | Exists | Mount Info | Persistence Guess | Size |\n'
  printf '| --- | --- | --- | --- | --- |\n'
  for path in / /workspace /workspaces /root /root/.cline /home /home/ubuntu /app /tmp; do
    local exists="no"
    local mount_info=""
    local guess=""
    local size=""
    if [[ -e "${path}" ]]; then
      exists="yes"
      mount_info="$(find_mount_for_path "${path}" | redact_inline_secrets | tr '\n' ' ' | trim)"
      guess="$(guess_path_persistence "${path}")"
      size="$(filesystem_usage_summary "${path}")"
    else
      mount_info="-"
      guess="-"
      size="-"
    fi
    printf '| `%s` | %s | `%s` | %s | `%s` |\n' "${path}" "${exists}" "${mount_info:--}" "${guess:--}" "${size:--}"
  done
  printf '\n'

  print_section "Processes"
  print_subsection "Top By CPU"
  print_shell_block "ps -eo pid,ppid,%cpu,%mem,etime,cmd --sort=-%cpu | head -25" "$(capture_cmd 'ps -eo pid,ppid,%cpu,%mem,etime,cmd --sort=-%cpu | head -25')"

  print_subsection "Top By Memory"
  print_shell_block "ps -eo pid,ppid,%cpu,%mem,rss,etime,cmd --sort=-%mem | head -25" "$(capture_cmd 'ps -eo pid,ppid,%cpu,%mem,rss,etime,cmd --sort=-%mem | head -25')"

  print_subsection "Desktop / IDE / Agent Signals"
  print_shell_block "ps -eo pid,ppid,comm,args | grep -Ei 'Xtigervnc|Xvfb|websockify|novnc|xfce|plank|thunar|cursor-server|code-server|vscode-server|cline|codex|agent|pod-daemon' | grep -v grep" "$(capture_cmd "ps -eo pid,ppid,comm,args | grep -Ei 'Xtigervnc|Xvfb|websockify|novnc|xfce|plank|thunar|cursor-server|code-server|vscode-server|cline|codex|agent|pod-daemon' | grep -v grep")"

  print_section "Networking"
  if have ss; then
    print_subsection "Listening Ports"
    print_shell_block "ss -lntup" "$(capture_cmd 'ss -lntup')"
  fi

  if have ip; then
    print_subsection "Interfaces"
    print_shell_block "ip -brief address" "$(capture_cmd 'ip -brief address')"
    print_subsection "Routes"
    print_shell_block "ip route" "$(capture_cmd 'ip route')"
  fi

  print_subsection "Resolver"
  print_shell_block "cat /etc/resolv.conf" "$(capture_cmd 'cat /etc/resolv.conf')"

  print_section "Workspace And Tooling"
  print_subsection "Working Directory"
  print_shell_block "pwd && ls -la" "$(capture_cmd 'pwd && ls -la')"

  if have git; then
    print_subsection "Git"
    print_shell_block "git rev-parse --show-toplevel && git status --short && git remote -v" "$(capture_cmd 'git rev-parse --show-toplevel && git status --short && git remote -v' | redact_inline_secrets)"
  fi

  print_subsection "Selected Tool Versions"
  tool_version_line bash 'bash --version'
  tool_version_line zsh 'zsh --version'
  tool_version_line sh 'sh --version'
  tool_version_line python3 'python3 --version'
  tool_version_line node 'node --version'
  tool_version_line npm 'npm --version'
  tool_version_line pnpm 'pnpm --version'
  tool_version_line yarn 'yarn --version'
  tool_version_line git 'git --version'
  tool_version_line docker 'docker --version'
  tool_version_line kubectl 'kubectl version --client --output=yaml | sed -n "1,6p"'
  tool_version_line go 'go version'
  tool_version_line rustc 'rustc --version'
  tool_version_line cargo 'cargo --version'
  tool_version_line java 'java -version'
  tool_version_line gcc 'gcc --version'
  tool_version_line code-server 'code-server --version'
  tool_version_line cursor-server 'cursor-server --version'
  tool_version_line cline 'cline --version'
  printf '\n'

  print_section "GPU"
  if have nvidia-smi; then
    print_shell_block "nvidia-smi" "$(capture_cmd 'nvidia-smi')"
  else
    print_code_block "nvidia-smi not installed or GPU not exposed"
  fi

  print_shell_block "ls -l /dev/nvidia* 2>/dev/null || true" "$(capture_cmd 'ls -l /dev/nvidia* 2>/dev/null || true')"

  print_section "Cloud Hints"
  printf '%s\n' "$(cloud_metadata_summary)"
  printf '\n'

  print_section "Raw Evidence Commands"
  printf 'These are the core commands this report relies on:\n\n'
  printf '```bash\n'
  printf '%s\n' \
    'uname -a' \
    'cat /etc/os-release' \
    'systemd-detect-virt' \
    'cat /.dockerenv' \
    'cat /proc/1/cgroup' \
    'cat /proc/self/cgroup' \
    'cat /proc/1/mountinfo | head -40' \
    'findmnt -T /workspace' \
    'df -hT' \
    'free -h' \
    'lscpu' \
    'ps -eo pid,ppid,%cpu,%mem,etime,cmd --sort=-%cpu | head -25' \
    'ss -lntup' \
    'ip -brief address' \
    'ip route'
  printf '```\n'

  if (( INCLUDE_FULL_ENV )); then
    print_section "Full Redacted Environment"
    print_code_block "$(full_env_dump)"
  fi
 }

 write_report() {
  if [[ "${OUTPUT_PATH}" == "-" ]]; then
    emit_report
  else
    emit_report >"${OUTPUT_PATH}"
    printf 'Wrote report to %s\n' "${OUTPUT_PATH}"
  fi
 }

 write_report
	#!/usr/bin/env bash

	set -u
	set -o pipefail

	export LC_ALL=C

	SCRIPT_NAME="$(basename "$0")"
	HOSTNAME_VALUE="$(hostname 2>/dev/null \|\| uname -n 2>/dev/null \|\| echo unknown-host)"
	TIMESTAMP_UTC="$(date -u +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null \|\| echo unknown-time)"
	DEFAULT_OUTPUT="runtime-report-${HOSTNAME_VALUE}-$(date -u +"%Y%m%dT%H%M%SZ" 2>/dev/null \|\| echo unknown).md"
	OUTPUT_PATH="-"
	INCLUDE_FULL_ENV=0
	INCLUDE_CLOUD_METADATA=1

	usage() {
	cat <<EOF
	Usage: ${SCRIPT_NAME} [--output PATH\|-] [--full-env] [--no-cloud-metadata]

	Produces a markdown report describing the current machine/container/pod/runtime.

	Options:
	--output PATH Write the report to PATH instead of stdout.
	--output - Write to stdout (default).
	--full-env Include a fully redacted environment dump.
	--no-cloud-metadata Skip cloud metadata endpoint checks.
	-h, --help Show this help.
	EOF
	}

	while [[ $# -gt 0 ]]; do
	case "$1" in
	--output)
	OUTPUT_PATH="${2:-}"
	shift 2
	;;
	--full-env)
	INCLUDE_FULL_ENV=1
	shift
	;;
	--no-cloud-metadata)
	INCLUDE_CLOUD_METADATA=0
	shift
	;;
	-h\|--help)
	usage
	exit 0
	;;
	*)
	echo "Unknown argument: $1" >&2
	usage >&2
	exit 1
	;;
	esac
	done

	if [[ -z "${OUTPUT_PATH}" ]]; then
	echo "--output requires a value" >&2
	exit 1
	fi

	have() {
	command -v "$1" >/dev/null 2>&1
	}

	is_linux() {
	[[ "$(uname -s 2>/dev/null \|\| true)" == "Linux" ]]
	}

	trim() {
	awk '{$1=$1; print}'
	}

	redact_env_value() {
	local key="$1"
	local value="$2"
	if [[ "${key}" =~ (TOKEN\|SECRET\|PASS\|PASSWORD\|KEY\|COOKIE\|SESSION\|AUTH\|CREDENTIAL\|PRIVATE\|ACCESS\|REFRESH\|BEARER) ]]; then
	printf '<redacted>'
	else
	printf '%s' "${value}"
	fi
	}

	redact_inline_secrets() {
	sed -E \
	-e 's#(https?://)[^/@[:space:]]+@#\1***@#g' \
	-e 's#([?&](token\|access_token\|auth\|key\|apikey\|api_key\|password\|passwd\|secret)=)[^&[:space:]]+#\1<redacted>#Ig' \
	-e 's#(Authorization: Bearer )[[:graph:]]+#\1<redacted>#Ig'
	}

	capture_cmd() {
	local cmd="$1"
	local out
	out="$(bash -lc "${cmd}" 2>&1)" \|\| true
	printf '%s\n' "${out}"
	}

	print_section() {
	printf '\n## %s\n\n' "$1"
	}

	print_subsection() {
	printf '### %s\n\n' "$1"
	}

	print_code_block() {
	local body="$1"
	printf '```text\n%s\n```\n\n' "${body}"
	}

	print_shell_block() {
	local cmd="$1"
	local body="$2"
	printf '```bash\n$ %s\n%s\n```\n\n' "${cmd}" "${body}"
	}

	first_line() {
	sed -n '1p'
	}

	detect_virtualization() {
	if have systemd-detect-virt; then
	systemd-detect-virt 2>/dev/null \|\| true
	fi
	}

	read_file() {
	local path="$1"
	if [[ -r "${path}" ]]; then
	cat "${path}"
	fi
	}

	safe_head() {
	local path="$1"
	local lines="${2:-40}"
	if [[ -r "${path}" ]]; then
	sed -n "1,${lines}p" "${path}"
	fi
	}

	os_pretty_name() {
	if [[ -r /etc/os-release ]]; then
	grep '^PRETTY_NAME=' /etc/os-release \| cut -d= -f2- \| tr -d '"'
	return
	fi

	if have sw_vers; then
	sw_vers -productName 2>/dev/null
	local version
	version="$(sw_vers -productVersion 2>/dev/null \|\| true)"
	[[ -n "${version}" ]] && printf ' %s' "${version}"
	printf '\n'
	return
	fi

	printf 'unknown\n'
	}

	uptime_summary() {
	if have uptime; then
	if uptime -p >/dev/null 2>&1; then
	uptime -p 2>/dev/null
	else
	uptime 2>/dev/null
	fi
	fi
	}

	logical_cpus() {
	if have nproc; then
	nproc
	return
	fi

	if have sysctl; then
	sysctl -n hw.logicalcpu 2>/dev/null \|\| sysctl -n hw.ncpu 2>/dev/null \|\| true
	fi
	}

	filesystem_usage_summary() {
	local path="$1"
	local line
	line="$(df -hP "${path}" 2>/dev/null \| tail -n 1)"
	if [[ -n "${line}" ]]; then
	awk '{print $3 " used / " $2 " total (" $5 "), avail " $4}' <<<"${line}"
	fi
	}

	find_mount_for_path() {
	local path="$1"
	if have findmnt; then
	findmnt -T "${path}" -o TARGET,SOURCE,FSTYPE,OPTIONS -n 2>/dev/null \|\| true
	else
	df -hP "${path}" 2>/dev/null \| tail -n +2 \|\| true
	fi
	}

	path_exists() {
	[[ -e "$1" ]]
	}

	guess_path_persistence() {
	local path="$1"
	local info
	info="$(find_mount_for_path "${path}")"

	if [[ -z "${info}" ]]; then
	printf 'unknown'
	return
	fi

	if grep -qi 'kubernetes\.io~empty-dir' <<<"${info}"; then
	printf 'ephemeral emptyDir (survives container restart, not pod replacement)'
	return
	fi

	if grep -qiE 'kubernetes\.io~(secret\|projected\|configmap)' <<<"${info}"; then
	printf 'projected/config volume (not durable application storage)'
	return
	fi

	if grep -qiE 'kubernetes\.io~csi\|pvc\|persistentvolumeclaim' <<<"${info}"; then
	printf 'likely persistent volume'
	return
	fi

	if grep -qiE '/var/lib/docker/overlay2\| overlay ' <<<"${info}"; then
	printf 'container writable layer / overlay (usually ephemeral)'
	return
	fi

	if grep -qiE '/var/lib/docker/volumes\|/var/lib/kubelet\|/dev/' <<<"${info}"; then
	printf 'host-backed mount or block-backed filesystem'
	return
	fi

	printf 'unknown'
	}

	detect_workload_type() {
	local kubernetes=0
	local docker=0
	local podman=0
	local containerenv=0
	local cgroup_text
	local mount_text
	local virt

	[[ -e /var/run/secrets/kubernetes.io/serviceaccount/token ]] && kubernetes=1
	env \| grep -q '^KUBERNETES_SERVICE_HOST=' && kubernetes=1

	[[ -e /.dockerenv ]] && docker=1
	[[ -e /run/.containerenv ]] && containerenv=1

	cgroup_text="$(capture_cmd 'cat /proc/1/cgroup; echo; cat /proc/self/cgroup')"
	mount_text="$(capture_cmd 'cat /proc/1/mountinfo \| head -80')"
	virt="$(detect_virtualization)"

	grep -qi 'kubepods' <<<"${cgroup_text}" && kubernetes=1
	grep -qi '/var/lib/kubelet' <<<"${mount_text}" && kubernetes=1
	grep -qi '/var/lib/docker/overlay2' <<<"${mount_text}" && docker=1
	[[ "${virt}" == "docker" ]] && docker=1
	[[ "${virt}" == "podman" ]] && podman=1

	if (( kubernetes )); then
	printf 'Kubernetes pod/container'
	return
	fi

	if (( docker )); then
	printf 'Docker container'
	return
	fi

	if (( podman \|\| containerenv )); then
	printf 'Container (non-Docker or unknown runtime)'
	return
	fi

	if [[ -n "${virt}" && "${virt}" != "none" ]]; then
	printf 'VM or virtualized host (%s)' "${virt}"
	return
	fi

	printf 'VM or bare-metal host'
	}

	detect_host_virtualization() {
	local virt product vendor
	virt="$(detect_virtualization)"
	product="$(read_file /sys/devices/virtual/dmi/id/product_name \| first_line)"
	vendor="$(read_file /sys/devices/virtual/dmi/id/sys_vendor \| first_line)"

	if [[ -n "${virt}" && "${virt}" != "none" && "${virt}" != "docker" && "${virt}" != "podman" ]]; then
	printf '%s' "${virt}"
	return
	fi

	if [[ -n "${vendor}" \|\| -n "${product}" ]]; then
	printf '%s %s' "${vendor}" "${product}" \| trim
	return
	fi

	printf 'unknown'
	}

	detect_desktop_stack() {
	local ps_out
	ps_out="$(capture_cmd "ps -eo pid,ppid,comm,args \| grep -Ei 'Xtigervnc\|Xvfb\|websockify\|novnc\|xfce4-session\|xfwm4\|xfdesktop\|xfce4-panel\|plank\|thunar\|gnome-shell\|weston\|xrdp' \| grep -v grep")"
	if [[ -n "${ps_out}" ]]; then
	printf 'present'
	else
	printf 'not detected'
	fi
	}

	detect_ide_stack() {
	local ps_out
	ps_out="$(capture_cmd "ps -eo pid,ppid,comm,args \| grep -Ei 'cursor-server\|code-server\|vscode-server\|openvscode\|cline\|codex\|agent\|pod-daemon' \| grep -v grep")"
	if [[ -n "${ps_out}" ]]; then
	printf 'present'
	else
	printf 'not detected'
	fi
	}

	selected_env_dump() {
	env \| sort \| while IFS='=' read -r key value; do
	case "${key}" in
	HOME\|HOSTNAME\|LANG\|LC_\|LOGNAME\|PATH\|PWD\|SHELL\|SHLVL\|TERM\|TZ\|USER\|VIRTUAL_ENV\|CONDA_PREFIX\|KUBERNETES_\|POD_\|CONTAINER_\|DOCKER_\|AWS_\|GCP_\|GOOGLE_\|AZURE_\|CI\|GIT_\|SSH_\|XDG_\|DISPLAY\|WAYLAND_DISPLAY)
	printf '%s=%s\n' "${key}" "$(redact_env_value "${key}" "${value}")"
	;;
	esac
	done
	}

	full_env_dump() {
	env \| sort \| while IFS='=' read -r key value; do
	printf '%s=%s\n' "${key}" "$(redact_env_value "${key}" "${value}")"
	done
	}

	tool_version_line() {
	local tool="$1"
	local cmd="$2"
	if have "${tool}"; then
	local out
	out="$(capture_cmd "${cmd}" \| first_line \| redact_inline_secrets)"
	printf -- '- `%s`: %s\n' "${tool}" "${out:-available}"
	else
	printf -- '- `%s`: not installed\n' "${tool}"
	fi
	}

	cloud_metadata_summary() {
	local gcp_name gcp_zone gcp_project aws_doc azure_doc

	if (( ! INCLUDE_CLOUD_METADATA )); then
	printf 'Cloud metadata checks skipped by flag.\n'
	return
	fi

	if have curl; then
	gcp_name="$(curl -fsS --max-time 1 -H 'Metadata-Flavor: Google' http://metadata.google.internal/computeMetadata/v1/instance/name 2>/dev/null \|\| true)"
	gcp_zone="$(curl -fsS --max-time 1 -H 'Metadata-Flavor: Google' http://metadata.google.internal/computeMetadata/v1/instance/zone 2>/dev/null \| awk -F/ '{print $NF}' \|\| true)"
	gcp_project="$(curl -fsS --max-time 1 -H 'Metadata-Flavor: Google' http://metadata.google.internal/computeMetadata/v1/project/project-id 2>/dev/null \|\| true)"
	aws_doc="$(curl -fsS --max-time 1 http://169.254.169.254/latest/dynamic/instance-identity/document 2>/dev/null \|\| true)"
	azure_doc="$(curl -fsS --max-time 1 -H 'Metadata: true' 'http://169.254.169.254/metadata/instance/compute?api-version=2021-02-01&format=text' 2>/dev/null \|\| true)"

	if [[ -n "${gcp_name}" \|\| -n "${gcp_zone}" \|\| -n "${gcp_project}" ]]; then
	printf -- '- GCP metadata detected\n'
	[[ -n "${gcp_project}" ]] && printf ' - project: `%s`\n' "${gcp_project}"
	[[ -n "${gcp_zone}" ]] && printf ' - zone: `%s`\n' "${gcp_zone}"
	[[ -n "${gcp_name}" ]] && printf ' - instance: `%s`\n' "${gcp_name}"
	fi

	if [[ -n "${aws_doc}" ]]; then
	printf -- '- AWS metadata endpoint responded\n'
	printf ' - snippet: `%s`\n' "$(printf '%s' "${aws_doc}" \| tr '\n' ' ' \| cut -c1-180)"
	fi

	if [[ -n "${azure_doc}" ]]; then
	printf -- '- Azure metadata endpoint responded\n'
	printf ' - snippet: `%s`\n' "$(printf '%s' "${azure_doc}" \| tr '\n' ' ' \| cut -c1-180)"
	fi

	if [[ -z "${gcp_name}${gcp_zone}${gcp_project}${aws_doc}${azure_doc}" ]]; then
	printf -- '- No common cloud metadata endpoint responded within 1s\n'
	fi
	else
	printf -- '- curl not installed; cloud metadata checks skipped\n'
	fi
	}

	emit_report() {
	local workload_type host_virtualization virtualization shell_name report_user report_pwd
	local workspace_guess root_guess cline_guess workspaces_guess home_guess
	local desktop_stack ide_stack

	workload_type="$(detect_workload_type)"
	host_virtualization="$(detect_host_virtualization)"
	virtualization="$(detect_virtualization)"
	shell_name="${SHELL:-unknown}"
	report_user="$(id -un 2>/dev/null \|\| echo unknown)"
	report_pwd="$(pwd 2>/dev/null \|\| echo unknown)"
	desktop_stack="$(detect_desktop_stack)"
	ide_stack="$(detect_ide_stack)"

	workspace_guess="$(path_exists /workspace && guess_path_persistence /workspace \|\| echo 'path not present')"
	root_guess="$(guess_path_persistence /)"
	cline_guess="$(path_exists /root/.cline && guess_path_persistence /root/.cline \|\| echo 'path not present')"
	workspaces_guess="$(path_exists /workspaces && guess_path_persistence /workspaces \|\| echo 'path not present')"
	home_guess="$(guess_path_persistence /home)"

	printf '# Runtime Inspection Report\n\n'
	printf '_Generated by `%s` on `%s` at `%s` UTC._\n\n' "${SCRIPT_NAME}" "${HOSTNAME_VALUE}" "${TIMESTAMP_UTC}"
	printf '_Secrets in environment values are redacted._\n\n'

	print_section "Executive Summary"
	printf -- '- Likely workload type: `%s`\n' "${workload_type}"
	printf -- '- Virtualization signal: `%s`\n' "${virtualization:-unknown}"
	printf -- '- Underlying host virtualization hint: `%s`\n' "${host_virtualization}"
	printf -- '- Desktop/remote GUI components: `%s`\n' "${desktop_stack}"
	printf -- '- IDE/agent components: `%s`\n' "${ide_stack}"
	printf -- '- Persistence guess for `/`: `%s`\n' "${root_guess}"
	printf -- '- Persistence guess for `/workspace`: `%s`\n' "${workspace_guess}"
	printf -- '- Persistence guess for `/workspaces`: `%s`\n' "${workspaces_guess}"
	printf -- '- Persistence guess for `/root/.cline`: `%s`\n' "${cline_guess}"
	printf -- '- Persistence guess for `/home`: `%s`\n' "${home_guess}"

	print_section "Identity"
	printf -- '- User: `%s`\n' "${report_user}"
	printf -- '- Hostname: `%s`\n' "${HOSTNAME_VALUE}"
	printf -- '- Working directory: `%s`\n' "${report_pwd}"
	printf -- '- Shell: `%s`\n' "${shell_name}"
	printf -- '- Uptime: `%s`\n' "$(uptime_summary \| first_line)"
	printf -- '- Kernel: `%s`\n' "$(capture_cmd 'uname -a' \| first_line)"
	printf -- '- OS: `%s`\n' "$(os_pretty_name \| first_line)"
	printf -- '- Architecture: `%s`\n' "$(capture_cmd 'uname -m' \| first_line)"
	printf -- '- Primary IPs: `%s`\n' "$(capture_cmd "hostname -I 2>/dev/null \|\| true" \| tr '\n' ' ' \| trim)"

	print_section "Runtime Heuristics"
	print_subsection "Key Signals"
	printf -- '- `/.dockerenv`: `%s`\n' "$( [[ -e /.dockerenv ]] && echo present \|\| echo absent )"
	printf -- '- `/run/.containerenv`: `%s`\n' "$( [[ -e /run/.containerenv ]] && echo present \|\| echo absent )"
	printf -- '- Kubernetes service account mount: `%s`\n' "$( [[ -e /var/run/secrets/kubernetes.io/serviceaccount/token ]] && echo present \|\| echo absent )"
	printf -- '- `systemd-detect-virt`: `%s`\n' "${virtualization:-no output}"
	printf -- '- DMI product name: `%s`\n' "$(read_file /sys/devices/virtual/dmi/id/product_name \| first_line)"
	printf -- '- DMI vendor: `%s`\n' "$(read_file /sys/devices/virtual/dmi/id/sys_vendor \| first_line)"

	print_subsection "Relevant Environment"
	print_code_block "$(selected_env_dump)"

	print_subsection "cgroup"
	print_shell_block "cat /proc/1/cgroup && echo && cat /proc/self/cgroup" "$(capture_cmd 'cat /proc/1/cgroup && echo && cat /proc/self/cgroup')"

	print_subsection "Mount Root Snippet"
	print_shell_block "cat /proc/1/mountinfo \| head -40" "$(capture_cmd 'cat /proc/1/mountinfo \| head -40')"

	print_section "CPU And Memory"
	print_subsection "Quick Summary"
	printf -- '- Logical CPUs: `%s`\n' "$(logical_cpus \| first_line)"
	printf -- '- CPU quota (`/sys/fs/cgroup/cpu.max`): `%s`\n' "$(read_file /sys/fs/cgroup/cpu.max \| first_line)"
	printf -- '- Memory limit (`/sys/fs/cgroup/memory.max`): `%s`\n' "$(read_file /sys/fs/cgroup/memory.max \| first_line)"
	printf -- '- Memory current (`/sys/fs/cgroup/memory.current`): `%s`\n' "$(read_file /sys/fs/cgroup/memory.current \| first_line)"

	print_subsection "lscpu"
	if have lscpu; then
	print_shell_block "lscpu" "$(capture_cmd 'lscpu')"
	else
	print_code_block "lscpu not installed"
	fi

	print_subsection "free -h"
	if have free; then
	print_shell_block "free -h" "$(capture_cmd 'free -h')"
	else
	print_code_block "free not installed"
	fi

	print_section "Storage And Persistence"
	print_subsection "Filesystem Summary"
	if have df; then
	if is_linux; then
	print_shell_block "df -hT" "$(capture_cmd 'df -hT')"
	else
	print_shell_block "df -hP" "$(capture_cmd 'df -hP')"
	fi
	fi

	if have lsblk; then
	print_subsection "Block Devices"
	print_shell_block "lsblk -o NAME,SIZE,FSTYPE,TYPE,MOUNTPOINTS" "$(capture_cmd 'lsblk -o NAME,SIZE,FSTYPE,TYPE,MOUNTPOINTS')"
	fi

	print_subsection "Important Paths"
	printf '\| Path \| Exists \| Mount Info \| Persistence Guess \| Size \|\n'
	printf '\| --- \| --- \| --- \| --- \| --- \|\n'
	for path in / /workspace /workspaces /root /root/.cline /home /home/ubuntu /app /tmp; do
	local exists="no"
	local mount_info=""
	local guess=""
	local size=""
	if [[ -e "${path}" ]]; then
	exists="yes"
	mount_info="$(find_mount_for_path "${path}" \| redact_inline_secrets \| tr '\n' ' ' \| trim)"
	guess="$(guess_path_persistence "${path}")"
	size="$(filesystem_usage_summary "${path}")"
	else
	mount_info="-"
	guess="-"
	size="-"
	fi
	printf '\| `%s` \| %s \| `%s` \| %s \| `%s` \|\n' "${path}" "${exists}" "${mount_info:--}" "${guess:--}" "${size:--}"
	done
	printf '\n'

	print_section "Processes"
	print_subsection "Top By CPU"
	print_shell_block "ps -eo pid,ppid,%cpu,%mem,etime,cmd --sort=-%cpu \| head -25" "$(capture_cmd 'ps -eo pid,ppid,%cpu,%mem,etime,cmd --sort=-%cpu \| head -25')"

	print_subsection "Top By Memory"
	print_shell_block "ps -eo pid,ppid,%cpu,%mem,rss,etime,cmd --sort=-%mem \| head -25" "$(capture_cmd 'ps -eo pid,ppid,%cpu,%mem,rss,etime,cmd --sort=-%mem \| head -25')"

	print_subsection "Desktop / IDE / Agent Signals"
	print_shell_block "ps -eo pid,ppid,comm,args \| grep -Ei 'Xtigervnc\|Xvfb\|websockify\|novnc\|xfce\|plank\|thunar\|cursor-server\|code-server\|vscode-server\|cline\|codex\|agent\|pod-daemon' \| grep -v grep" "$(capture_cmd "ps -eo pid,ppid,comm,args \| grep -Ei 'Xtigervnc\|Xvfb\|websockify\|novnc\|xfce\|plank\|thunar\|cursor-server\|code-server\|vscode-server\|cline\|codex\|agent\|pod-daemon' \| grep -v grep")"

	print_section "Networking"
	if have ss; then
	print_subsection "Listening Ports"
	print_shell_block "ss -lntup" "$(capture_cmd 'ss -lntup')"
	fi

	if have ip; then
	print_subsection "Interfaces"
	print_shell_block "ip -brief address" "$(capture_cmd 'ip -brief address')"
	print_subsection "Routes"
	print_shell_block "ip route" "$(capture_cmd 'ip route')"
	fi

	print_subsection "Resolver"
	print_shell_block "cat /etc/resolv.conf" "$(capture_cmd 'cat /etc/resolv.conf')"

	print_section "Workspace And Tooling"
	print_subsection "Working Directory"
	print_shell_block "pwd && ls -la" "$(capture_cmd 'pwd && ls -la')"

	if have git; then
	print_subsection "Git"
	print_shell_block "git rev-parse --show-toplevel && git status --short && git remote -v" "$(capture_cmd 'git rev-parse --show-toplevel && git status --short && git remote -v' \| redact_inline_secrets)"
	fi

	print_subsection "Selected Tool Versions"
	tool_version_line bash 'bash --version'
	tool_version_line zsh 'zsh --version'
	tool_version_line sh 'sh --version'
	tool_version_line python3 'python3 --version'
	tool_version_line node 'node --version'
	tool_version_line npm 'npm --version'
	tool_version_line pnpm 'pnpm --version'
	tool_version_line yarn 'yarn --version'
	tool_version_line git 'git --version'
	tool_version_line docker 'docker --version'
	tool_version_line kubectl 'kubectl version --client --output=yaml \| sed -n "1,6p"'
	tool_version_line go 'go version'
	tool_version_line rustc 'rustc --version'
	tool_version_line cargo 'cargo --version'
	tool_version_line java 'java -version'
	tool_version_line gcc 'gcc --version'
	tool_version_line code-server 'code-server --version'
	tool_version_line cursor-server 'cursor-server --version'
	tool_version_line cline 'cline --version'
	printf '\n'

	print_section "GPU"
	if have nvidia-smi; then
	print_shell_block "nvidia-smi" "$(capture_cmd 'nvidia-smi')"
	else
	print_code_block "nvidia-smi not installed or GPU not exposed"
	fi

	print_shell_block "ls -l /dev/nvidia* 2>/dev/null \|\| true" "$(capture_cmd 'ls -l /dev/nvidia* 2>/dev/null \|\| true')"

	print_section "Cloud Hints"
	printf '%s\n' "$(cloud_metadata_summary)"
	printf '\n'

	print_section "Raw Evidence Commands"
	printf 'These are the core commands this report relies on:\n\n'
	printf '```bash\n'
	printf '%s\n' \
	'uname -a' \
	'cat /etc/os-release' \
	'systemd-detect-virt' \
	'cat /.dockerenv' \
	'cat /proc/1/cgroup' \
	'cat /proc/self/cgroup' \
	'cat /proc/1/mountinfo \| head -40' \
	'findmnt -T /workspace' \
	'df -hT' \
	'free -h' \
	'lscpu' \
	'ps -eo pid,ppid,%cpu,%mem,etime,cmd --sort=-%cpu \| head -25' \
	'ss -lntup' \
	'ip -brief address' \
	'ip route'
	printf '```\n'

	if (( INCLUDE_FULL_ENV )); then
	print_section "Full Redacted Environment"
	print_code_block "$(full_env_dump)"
	fi
	}

	write_report() {
	if [[ "${OUTPUT_PATH}" == "-" ]]; then
	emit_report
	else
	emit_report >"${OUTPUT_PATH}"
	printf 'Wrote report to %s\n' "${OUTPUT_PATH}"
	fi
	}

	write_report
No results found