From d43d0babea6f244130cdfcf61c96941db4103168 Mon Sep 17 00:00:00 2001
From: behobu <kenneth.kaye@monad.com>
Date: Wed, 3 Jun 2026 15:47:20 -0600
Subject: [PATCH 1/5] feat(scripts): add scripts area with per-script docs and
 TLS cert tool

Establish a home for scripts that interact with Monad via its API, with a
convention that every script ships usage and limitations documentation.

- scripts/: one directory per script, each with a required README; a catalog
  table (with a Category column) in scripts/README.md; a copy-to-start
  _template/ (doc template + script stub with API-key/curl-config conventions).
- CONTRIBUTING.md: how to add a script + PR checklist (Limitations section
  required; no committed secrets; dry-run for state-changing scripts).
- LICENSE: add MIT.
- README.md: fix stale clone URL (monad-community/monad-community ->
  monad-inc/community) and add a Scripts section.
- First script: tls-cert-to-syslog-input (registers device TLS cert SHA-256
  fingerprints on a pipeline's Syslog input for SNI-less routing) with full
  usage + limitations README.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 CONTRIBUTING.md                               |  55 +++
 LICENSE                                       |  21 +
 README.md                                     |  17 +-
 scripts/README.md                             |  39 ++
 scripts/_template/README.md                   |  61 +++
 scripts/_template/script.sh                   |  62 +++
 scripts/tls-cert-to-syslog-input/README.md    | 111 +++++
 .../monad-tls-cert-to-pipeline.sh             | 416 ++++++++++++++++++
 8 files changed, 780 insertions(+), 2 deletions(-)
 create mode 100644 CONTRIBUTING.md
 create mode 100644 LICENSE
 create mode 100644 scripts/README.md
 create mode 100644 scripts/_template/README.md
 create mode 100644 scripts/_template/script.sh
 create mode 100644 scripts/tls-cert-to-syslog-input/README.md
 create mode 100755 scripts/tls-cert-to-syslog-input/monad-tls-cert-to-pipeline.sh

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..d46a9ea
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,55 @@
+# Contributing
+
+Thanks for adding to the Monad Community repo. This guide covers contributing
+**scripts** (the `scripts/` directory); for blog assets, just add files under
+`blog/`.
+
+## Adding a script
+
+Every script lives in its own directory under `scripts/<slug>/` and ships with a
+`README.md` documenting **how to use it and its limitations**. A script without
+that documentation will not be merged.
+
+1. **Scaffold from the template:**
+   ```bash
+   cp -r scripts/_template scripts/<your-slug>
+   ```
+   Use a short, descriptive `kebab-case` slug (e.g. `tls-cert-to-syslog-input`).
+
+2. **Add your script** to that directory (`.sh`, `.py`, etc.). Keep it
+   self-contained; put sample inputs/outputs under an `examples/` subfolder.
+
+3. **Fill in `scripts/<your-slug>/README.md`** — every section of the template,
+   especially **Limitations & caveats**. Be honest about what the script does
+   *not* do, what permissions it needs, and any edge cases.
+
+4. **Register it** in the catalog table in [`scripts/README.md`](scripts/README.md)
+   (one row: script, purpose, language, Monad API surface, category, link).
+
+5. **Open a PR.** See the checklist below.
+
+## Conventions
+
+- **Secrets never get committed.** Read credentials from an environment variable
+  (e.g. `MONAD_API_KEY`), a secrets manager, or an interactive prompt — never a
+  literal in the script or examples. Keep API keys out of the process list where
+  practical (e.g. pass headers to `curl` via `--config`, not the command line).
+- **Be portable and dependency-light.** Note the interpreter and required tools
+  (and versions) in the README. For Bash, target `bash` 3.2 (macOS default) where
+  feasible.
+- **Offer a dry run** for anything that writes/changes Monad state, so users can
+  preview before committing.
+- **Document the Monad API surface** the script touches (endpoints, MCP tools, or
+  connectors) and the API-key permissions required.
+- **Commits** follow [Conventional Commits](https://www.conventionalcommits.org/):
+  `feat(scripts): add <slug>`, `fix(scripts): …`, `docs(scripts): …`. Branch names
+  mirror the type: `feat/<slug>`, `fix/<slug>`.
+
+## PR checklist
+
+- [ ] Script lives in `scripts/<slug>/` with a populated `README.md`.
+- [ ] **Limitations & caveats** section is filled in (not left as a placeholder).
+- [ ] No secrets committed; credentials sourced from env/secret manager/prompt.
+- [ ] Usage examples included; a dry-run path exists for state-changing scripts.
+- [ ] Added a row to `scripts/README.md`.
+- [ ] Conventional Commit message and matching branch name.
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..bc7b5b7
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Monad, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
index 79ee445..f823de7 100644
--- a/README.md
+++ b/README.md
@@ -9,7 +9,7 @@ Welcome to the **Monad Community** repo, a central hub for all public-facing tec
 This repo contains a variety of public assets aimed at enhancing understanding and usability of data engineering concepts for cybersecurity. Key categories include:
 
 - **Log Samples**: Real-world before-and-after examples of log transformations, such as flattening, masking, and filtering.
-- **Code Snippets**: Ready-to-use scripts and configurations to help you implement and optimize your data pipelines.
+- **Code Snippets**: Ready-to-use scripts and configurations to help you implement and optimize your data pipelines. See [`scripts/`](scripts/).
 - **Transformation Examples**: JSON examples to showcase how data can be cleaned, normalized, and structured for better usability and actionability.
 - **Technical Assets**: Additional technical resources relevant to Monad’s security data platform and ecosystem.
 
@@ -21,13 +21,26 @@ This repo contains a variety of public assets aimed at enhancing understanding a
 2. **Download or Clone**:  
    - Clone the repository locally using:  
      ```bash
-     git clone https://github.com/monad-community/monad-community.git
+     git clone https://github.com/monad-inc/community.git
      ```
    - Or download the specific files you’re interested in.
 3. **Learn and Experiment**: Use the provided examples to improve your workflows, whether it’s optimizing log transformations, implementing cost-efficient data routing, or enhancing alert prioritization.
 
 ---
 
+## 🧰 Scripts
+
+Utility scripts that interact with Monad (REST API, MCP tools, or connectors)
+live under [`scripts/`](scripts/). Each script has its own directory with a
+`README.md` documenting its usage and limitations, and the catalog in
+[`scripts/README.md`](scripts/README.md) lists what's available.
+
+To add one, see [`CONTRIBUTING.md`](CONTRIBUTING.md) — copy `scripts/_template/`,
+fill in the README (including its **Limitations** section), and register it in the
+catalog.
+
+---
+
 ## 🚀 How This Can Help You
 
 The assets provided in this repository are tailored to support security teams in:
diff --git a/scripts/README.md b/scripts/README.md
new file mode 100644
index 0000000..c8a01bb
--- /dev/null
+++ b/scripts/README.md
@@ -0,0 +1,39 @@
+# Scripts
+
+Utility scripts that interact with Monad (its REST API, MCP tools, or
+connectors). Each script lives in its own directory with a `README.md` covering
+its usage and limitations.
+
+## Catalog
+
+| Script | Purpose | Language | Monad API surface | Category | Docs |
+|---|---|---|---|---|---|
+| [`tls-cert-to-syslog-input`](tls-cert-to-syslog-input/) | Register device TLS-certificate SHA-256 fingerprints on a pipeline's Syslog input so SNI-less sources route correctly | Bash | `GET /v1/organizations`, `GET /v2/{org}/pipelines/{id}`, `GET /v1/{org}/inputs/{id}`, `PATCH /v2/{org}/inputs/{id}` | Inputs / routing | [README](tls-cert-to-syslog-input/README.md) |
+
+## Layout
+
+```
+scripts/
+├── README.md            # this catalog
+├── _template/           # copy this to start a new script
+│   ├── README.md        # per-script doc template (fill every section)
+│   └── script.sh        # script header/convention stub
+└── <slug>/              # one directory per script
+    ├── README.md        # required: usage + limitations
+    ├── <script>.sh      # the script
+    └── examples/        # optional sample inputs/outputs
+```
+
+## Adding a script
+
+See [`../CONTRIBUTING.md`](../CONTRIBUTING.md). In short: copy `_template/` to
+`scripts/<slug>/`, fill in the README (including **Limitations & caveats**), add
+the script, and register a row in the catalog above.
+
+## Conventions (summary)
+
+- Credentials come from env vars / a secrets manager / an interactive prompt —
+  **never** committed. Keep API keys out of the process list where practical.
+- Note the interpreter and required tools/versions in each script's README.
+- Provide a **dry-run** for anything that changes Monad state.
+- Document the Monad API surface touched and the API-key permissions required.
diff --git a/scripts/_template/README.md b/scripts/_template/README.md
new file mode 100644
index 0000000..91ff142
--- /dev/null
+++ b/scripts/_template/README.md
@@ -0,0 +1,61 @@
+<!--
+  Per-script documentation template. Copy this whole directory:
+      cp -r scripts/_template scripts/<your-slug>
+  Then fill in EVERY section below. Do not leave the Limitations section as a
+  placeholder — a script without documented limitations will not be merged.
+  Delete this comment block when done.
+-->
+
+# <script name>
+
+## Purpose
+
+<One short paragraph: what the script does, and which Monad API surface it
+touches (endpoints / MCP tools / connectors).>
+
+## Requirements
+
+- Interpreter: <e.g. `bash` (3.2+), `python` 3.x>
+- Tools: <e.g. `curl`, `jq`, `openssl` — and any minimum versions>
+- Platform notes: <e.g. macOS/Linux; anything OS-specific>
+
+## Authentication
+
+<How the Monad API key is supplied (env var / secret manager / prompt) and the
+permissions it must have. Never hard-code credentials.>
+
+## Usage
+
+```bash
+<invocation with the most common flags>
+```
+
+| Flag | Required | Description |
+|------|----------|-------------|
+| `-x, --example` | yes/no | <what it does> |
+
+<Add a dry-run example if the script changes Monad state.>
+
+## Inputs / outputs
+
+- **Input:** <file formats / arguments the script consumes>
+- **Output / effects:** <what it prints, writes, or changes in Monad>
+
+## Limitations & caveats
+
+<!-- REQUIRED. Be specific and honest. Cover, as applicable: -->
+- <Required API-key permissions / scopes.>
+- <Rate limits or throughput ceilings.>
+- <Idempotency / merge / overwrite behavior.>
+- <What the script explicitly does NOT do.>
+- <Environment assumptions (shell version, dependencies) and known edge cases.>
+- <Any fire-and-forget / no-confirmation behaviors.>
+
+## Safety
+
+<Destructive-action notes, how secrets are handled, and how to preview changes
+(dry-run) before committing them.>
+
+## Related
+
+- <Monad docs / connector references / related scripts.>
diff --git a/scripts/_template/script.sh b/scripts/_template/script.sh
new file mode 100644
index 0000000..3221b51
--- /dev/null
+++ b/scripts/_template/script.sh
@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+#
+# <script-name>.sh
+#
+# <One-line summary of what this script does.>
+#
+# ---------------------------------------------------------------------------
+# Usage:
+#   <script-name>.sh -x <value> [options]
+#
+# Required:
+#   -x, --example       <description>
+#
+# API key (one of):
+#   -k, --api-key       Monad API key, OR
+#   env MONAD_API_KEY   Monad API key, OR
+#   (interactive prompt if neither is set and a terminal is attached).
+#
+# Optional:
+#   -n, --dry-run       Preview without changing Monad state.
+#   -h, --help          Show this help.
+# ---------------------------------------------------------------------------
+
+set -uo pipefail
+
+API_KEY="${MONAD_API_KEY:-}"
+BASE_URL="https://app.monad.com/api"
+PROG="$(basename "$0")"
+
+usage() { sed -n '2,/^# ----/p' "$0" | sed 's/^# \{0,1\}//; s/^#//'; }
+die()   { echo "$PROG: error: $*" >&2; exit 1; }
+
+# ---- arg parsing -----------------------------------------------------------
+while [ $# -gt 0 ]; do
+  case "$1" in
+    -k|--api-key) API_KEY="${2:-}"; shift 2 ;;
+    -n|--dry-run) DRY_RUN=1; shift ;;
+    -h|--help)    usage; exit 0 ;;
+    *) die "unknown argument: $1 (use --help)" ;;
+  esac
+done
+
+# ---- prerequisites ---------------------------------------------------------
+for bin in curl jq; do
+  command -v "$bin" >/dev/null 2>&1 || die "$bin is required but not found in PATH"
+done
+
+# Resolve the API key without putting it on the command line / process list.
+if [ -z "$API_KEY" ] && [ -t 0 ]; then
+  printf 'Monad API key: ' >&2; read -rs API_KEY; printf '\n' >&2
+fi
+[ -n "$API_KEY" ] || die "no API key provided (use --api-key, MONAD_API_KEY, or run interactively)"
+
+# Pass the auth header to curl via a mode-600 config so the key stays out of `ps`.
+CURL_CFG="$(mktemp "${TMPDIR:-/tmp}/monad-curl.XXXXXX")" || die "could not create temp file"
+trap 'rm -f "$CURL_CFG"' EXIT INT TERM
+chmod 600 "$CURL_CFG"
+printf 'header = "Authorization: ApiKey %s"\n' "$API_KEY" > "$CURL_CFG"
+
+# ---- your logic here -------------------------------------------------------
+# Example call:
+#   curl -sS --config "$CURL_CFG" "${BASE_URL%/}/v1/organizations"
diff --git a/scripts/tls-cert-to-syslog-input/README.md b/scripts/tls-cert-to-syslog-input/README.md
new file mode 100644
index 0000000..57eca5b
--- /dev/null
+++ b/scripts/tls-cert-to-syslog-input/README.md
@@ -0,0 +1,111 @@
+# tls-cert-to-syslog-input
+
+`monad-tls-cert-to-pipeline.sh`
+
+## Purpose
+
+Registers device **TLS-certificate SHA-256 fingerprints** on a Monad pipeline's
+**Syslog input** so that log sources which **cannot use SNI** can still be routed
+to the correct pipeline. Monad's syslog receiver matches the client-certificate
+SHA-256 fingerprint of an incoming connection against the `cert_fingerprints`
+list configured on each Syslog input and routes accordingly.
+
+For each entry in the input file the script: (1) connects to the device over TLS
+with `openssl s_client`, (2) computes the SHA-256 of its leaf certificate
+(64-char lowercase hex over the DER encoding), and (3) adds that fingerprint to
+the Syslog input's `cert_fingerprints` via the Monad REST API. Precomputed
+fingerprints can be bulk-loaded instead of probed.
+
+Monad API surface: `GET /v1/organizations`, `GET /v2/{org}/pipelines/{id}`,
+`GET /v1/{org}/inputs/{id}`, `PATCH /v2/{org}/inputs/{id}`.
+
+## Requirements
+
+- `bash` (3.2+, macOS default works), `openssl`, `curl`, `jq`.
+- `timeout`/`gtimeout` optional (used to bound per-device probes; degrades
+  gracefully if absent).
+- Network egress to each device's TLS port and to `app.monad.com`.
+
+## Authentication
+
+Supply an **organization-level Monad API key** with permission to **read
+pipelines and update inputs**, via one of:
+
+- `-k, --api-key <key>`
+- `MONAD_API_KEY` environment variable
+- interactive prompt (if neither is set and a terminal is attached)
+
+The key is passed to `curl` through a mode-`600` config file, so it does not
+appear in the process list.
+
+## Usage
+
+```bash
+export MONAD_API_KEY='...'
+./monad-tls-cert-to-pipeline.sh -f devices.txt -p <pipeline_id>
+```
+
+Preview without writing:
+
+```bash
+./monad-tls-cert-to-pipeline.sh -f devices.txt -p <pipeline_id> --dry-run
+```
+
+Bulk-load precomputed fingerprints (skip the TLS probe):
+
+```bash
+./monad-tls-cert-to-pipeline.sh --hashes-file fingerprints.txt -p <pipeline_id>
+```
+
+| Flag | Required | Description |
+|------|----------|-------------|
+| `-f, --file` | one of `-f`/`--hashes-file` | IP list (one `ip`, `host`, or `host:port` per line); each device is probed over TLS |
+| `--hashes-file` | one of `-f`/`--hashes-file` | File of precomputed 64-char-hex SHA-256 fingerprints, added as-is |
+| `-p, --pipeline-id` | yes (unless `--input-id`) | Destination pipeline whose Syslog input is updated |
+| `-k, --api-key` | see Authentication | Monad API key |
+| `-o, --organization-id` | no | Org id; auto-resolved when the key has exactly one org |
+| `--input-id` | no | Target a Syslog input/component id directly, skipping pipeline lookup |
+| `-P, --port` | no | Default device TLS port (default `443`) |
+| `-t, --timeout` | no | Per-device connect timeout in seconds (default `10`) |
+| `-u, --base-url` | no | Monad API base URL (default `https://app.monad.com/api`) |
+| `--replace` | no | Replace `cert_fingerprints` instead of merging with existing |
+| `-n, --dry-run` | no | Do all reads, print what would be written, but don't `PATCH` |
+| `-h, --help` | no | Show help |
+
+## Inputs / outputs
+
+- **Input:** a text file of devices (`-f`) and/or a text file of 64-hex
+  fingerprints (`--hashes-file`). Blank lines and `#` comments are ignored.
+- **Effects:** updates `settings.cert_fingerprints` on the target Syslog input
+  (merge + de-dupe + lowercase by default). Prints a per-device result line and a
+  summary. Exits non-zero if any device failed or the update failed.
+
+## Limitations & caveats
+
+- **The pipeline must already have a Syslog input** (`monad-syslog`). The script
+  updates an existing input; it does not create one. If the pipeline has no
+  Syslog input, it exits with guidance; if it has several, pass `--input-id`.
+- **API-key permissions:** must read pipelines and update inputs at the org level.
+- **The fingerprint must match the device's _client_ certificate** as presented to
+  Monad's syslog endpoint. The script retrieves the cert the device serves on the
+  probed port; routing only works if that is the same cert the device uses for its
+  outbound (client) TLS to Monad. Verify for appliances that use separate certs.
+- **Random/unreachable IPs yield nothing** — a fingerprint requires a completed
+  TLS handshake; unreachable hosts time out and are reported as failures.
+- **IPv6 with a port is not parsed** — the `host:port` split is naive. Plain IPv6
+  addresses or hostnames are fine.
+- **Running as root bypasses the readability check** (`-r`), since root can read
+  any file regardless of mode.
+- **`--replace` overwrites** the entire `cert_fingerprints` list; the default
+  merges with whatever is already configured.
+
+## Safety
+
+- Credentials are never committed and are kept out of `ps` (curl `--config`).
+- Use `--dry-run` to preview the exact fingerprint list that would be written
+  before committing.
+
+## Related
+
+- Monad Syslog input — SNI / client-cert / fingerprint routing.
+- Monad REST API: organizations, pipelines, and inputs endpoints.
diff --git a/scripts/tls-cert-to-syslog-input/monad-tls-cert-to-pipeline.sh b/scripts/tls-cert-to-syslog-input/monad-tls-cert-to-pipeline.sh
new file mode 100755
index 0000000..2716215
--- /dev/null
+++ b/scripts/tls-cert-to-syslog-input/monad-tls-cert-to-pipeline.sh
@@ -0,0 +1,416 @@
+#!/usr/bin/env bash
+#
+# monad-tls-cert-to-pipeline.sh
+#
+# Registers device TLS-certificate SHA-256 fingerprints on a Monad pipeline's
+# Syslog input, so that sources which CANNOT use SNI can still be routed to the
+# correct pipeline. Monad's syslog receiver matches the client-certificate
+# SHA-256 fingerprint of an incoming connection against the list configured on
+# each Syslog input (settings.cert_fingerprints) and routes accordingly.
+#
+# For each entry in the input file the script:
+#   1. Connects to the device over TLS with `openssl s_client`.
+#   2. Retrieves its leaf certificate and computes the SHA-256 fingerprint
+#      (64-character lowercase hex over the DER encoding).
+#   3. Adds that fingerprint to the `cert_fingerprints` list on the Syslog
+#      input of the specified pipeline, via the Monad REST API.
+#
+# Existing fingerprints are preserved (merge + de-dupe) unless --replace is given.
+#
+# Prerequisites:
+#   - The destination pipeline already contains a "Syslog" input node
+#     (connector id `monad-syslog`).
+#   - The Monad API key is an organization-level key permitted to read pipelines
+#     and update inputs.
+#   - The fingerprint computed here must be the certificate the device presents
+#     as its CLIENT certificate when it connects outbound to Monad's syslog
+#     endpoint. (For appliances that use one identity cert for both server and
+#     client TLS, that is the cert this script retrieves.)
+#
+# ---------------------------------------------------------------------------
+# Usage:
+#   monad-tls-cert-to-pipeline.sh -f <ip_file> -p <pipeline_id> [-k <api_key>] [options]
+#
+# Input (at least one of):
+#   -f, --file            Input file (one IP, host, or host:port per line); each
+#                         device is probed over TLS to compute its cert SHA-256.
+#       --hashes-file     File of precomputed SHA-256 fingerprints (64-char hex,
+#                         one per line); added as-is with no TLS probe. Use for
+#                         pre-collected fingerprints or bulk loads.
+#
+# Required:
+#   -p, --pipeline-id     Destination Monad pipeline id (its Syslog input is updated).
+#
+# API key (one of):
+#   -k, --api-key         Monad API key, OR
+#   env MONAD_API_KEY     Monad API key, OR
+#   (interactive prompt if neither is set and a terminal is attached).
+#
+# Optional:
+#   -o, --organization-id Monad organization id. Auto-resolved from the API key
+#                         when the key has access to exactly one organization.
+#       --input-id        Update this Syslog input/component id directly and skip
+#                         pipeline lookup (use if a pipeline has multiple inputs).
+#   -P, --port            Default TCP port for the DEVICE probe (default: 443).
+#   -t, --timeout         Per-device TLS connect timeout in seconds (default: 10).
+#   -u, --base-url        Monad API base URL (default: https://app.monad.com/api).
+#       --replace         Replace cert_fingerprints instead of merging with existing.
+#   -n, --dry-run         Do all reads and print the fingerprints that WOULD be
+#                         written, but do not PATCH.
+#   -h, --help            Show this help.
+#
+# Input file format:
+#   - One entry per line: "1.2.3.4", "host.example.com", or "1.2.3.4:8443".
+#   - Blank lines and lines beginning with '#' are ignored.
+#
+# Example:
+#   export MONAD_API_KEY='...'
+#   ./monad-tls-cert-to-pipeline.sh -f devices.txt -p <pipeline_id>
+# ---------------------------------------------------------------------------
+
+set -uo pipefail
+
+# ---- defaults --------------------------------------------------------------
+IP_FILE=""
+HASHES_FILE=""
+PIPELINE_ID=""
+API_KEY="${MONAD_API_KEY:-}"
+ORG_ID=""
+INPUT_ID=""
+DEFAULT_PORT=443
+CONNECT_TIMEOUT=10
+BASE_URL="https://app.monad.com/api"
+REPLACE=0
+DRY_RUN=0
+
+SYSLOG_SUBTYPE="monad-syslog"
+PROG="$(basename "$0")"
+
+usage() { sed -n '2,/^# ----/p' "$0" | sed 's/^# \{0,1\}//; s/^#//'; }
+die()   { echo "$PROG: error: $*" >&2; exit 1; }
+
+# Printed whenever the --file IP list can't be read, so the user knows the
+# expected layout.
+ip_file_format_help() {
+  cat >&2 <<'EOF'
+
+The IP list (--file) must be a plain text file the script can read, with one
+entry per line. Each line may be:
+  - an IP address            e.g.  203.0.113.10
+  - a hostname               e.g.  switch01.corp.example.com
+  - host:port (non-443)      e.g.  203.0.113.10:8443
+
+Blank lines and lines beginning with '#' are ignored.
+
+Example (devices.txt):
+  # data center A
+  203.0.113.10
+  203.0.113.11:8443
+  switch01.corp.example.com
+
+Then re-run, e.g.:
+  ./monad-tls-cert-to-pipeline.sh -f devices.txt -p <pipeline_id>
+
+If the file exists but this message mentions permissions, make it readable:
+  chmod +r devices.txt
+EOF
+}
+
+# Printed whenever the --hashes-file list can't be read, so the user knows the
+# expected layout.
+hashes_file_format_help() {
+  cat >&2 <<'EOF'
+
+The fingerprints file (--hashes-file) must be a plain text file the script can
+read, with one SHA-256 certificate fingerprint per line. Each fingerprint must
+be 64 hexadecimal characters (no colons, no "sha256:" prefix); case-insensitive.
+
+Blank lines and lines beginning with '#' are ignored.
+
+Example (fingerprints.txt):
+  # pre-collected device cert fingerprints
+  e3b02826789d653d224d3edacbe4e877cb7286fc4c922672f6226741ca57ad65
+  d07b43fd8d3d7aacb95750667417cc81264b60089c72df1a7b0a1862dc791d96
+
+Then re-run, e.g.:
+  ./monad-tls-cert-to-pipeline.sh --hashes-file fingerprints.txt -p <pipeline_id>
+
+If the file exists but this message mentions permissions, make it readable:
+  chmod +r fingerprints.txt
+EOF
+}
+
+# ---- arg parsing -----------------------------------------------------------
+while [ $# -gt 0 ]; do
+  case "$1" in
+    -f|--file)            IP_FILE="${2:-}"; shift 2 ;;
+    --hashes-file)        HASHES_FILE="${2:-}"; shift 2 ;;
+    -p|--pipeline-id)     PIPELINE_ID="${2:-}"; shift 2 ;;
+    -k|--api-key)         API_KEY="${2:-}"; shift 2 ;;
+    -o|--organization-id) ORG_ID="${2:-}"; shift 2 ;;
+    --input-id)           INPUT_ID="${2:-}"; shift 2 ;;
+    -P|--port)            DEFAULT_PORT="${2:-}"; shift 2 ;;
+    -t|--timeout)         CONNECT_TIMEOUT="${2:-}"; shift 2 ;;
+    -u|--base-url)        BASE_URL="${2:-}"; shift 2 ;;
+    --replace)            REPLACE=1; shift ;;
+    -n|--dry-run)         DRY_RUN=1; shift ;;
+    -h|--help)            usage; exit 0 ;;
+    *) die "unknown argument: $1 (use --help)" ;;
+  esac
+done
+
+# ---- prerequisite checks ---------------------------------------------------
+for bin in openssl curl jq; do
+  command -v "$bin" >/dev/null 2>&1 || die "$bin is required but not found in PATH"
+done
+
+TIMEOUT_BIN=""
+if   command -v timeout  >/dev/null 2>&1; then TIMEOUT_BIN="timeout"
+elif command -v gtimeout >/dev/null 2>&1; then TIMEOUT_BIN="gtimeout"; fi
+
+[ -n "$IP_FILE" ] || [ -n "$HASHES_FILE" ] || die "provide --file and/or --hashes-file (use --help)"
+
+# Validate the IP list is readable, with formatting guidance on any failure.
+if [ -n "$IP_FILE" ]; then
+  if [ ! -e "$IP_FILE" ]; then
+    echo "$PROG: error: IP list file not found: $IP_FILE" >&2
+    ip_file_format_help
+    exit 1
+  elif [ ! -f "$IP_FILE" ]; then
+    echo "$PROG: error: IP list path is not a regular file: $IP_FILE" >&2
+    ip_file_format_help
+    exit 1
+  elif [ ! -r "$IP_FILE" ]; then
+    echo "$PROG: error: IP list file is not readable (check permissions): $IP_FILE" >&2
+    ip_file_format_help
+    exit 1
+  fi
+fi
+
+# Validate the fingerprints list is readable, with formatting guidance on any failure.
+if [ -n "$HASHES_FILE" ]; then
+  if [ ! -e "$HASHES_FILE" ]; then
+    echo "$PROG: error: fingerprints file not found: $HASHES_FILE" >&2
+    hashes_file_format_help
+    exit 1
+  elif [ ! -f "$HASHES_FILE" ]; then
+    echo "$PROG: error: fingerprints path is not a regular file: $HASHES_FILE" >&2
+    hashes_file_format_help
+    exit 1
+  elif [ ! -r "$HASHES_FILE" ]; then
+    echo "$PROG: error: fingerprints file is not readable (check permissions): $HASHES_FILE" >&2
+    hashes_file_format_help
+    exit 1
+  fi
+fi
+[ -n "$PIPELINE_ID" ] || [ -n "$INPUT_ID" ] || die "missing required --pipeline-id (use --help)"
+
+if [ -z "$API_KEY" ] && [ -t 0 ]; then
+  printf 'Monad API key: ' >&2; read -rs API_KEY; printf '\n' >&2
+fi
+[ -n "$API_KEY" ] || die "no API key provided (use --api-key, MONAD_API_KEY, or run interactively)"
+
+BASE_URL="${BASE_URL%/}"
+
+# Keep the API key out of the process list by passing headers via a curl config.
+CURL_CFG="$(mktemp "${TMPDIR:-/tmp}/monad-curl.XXXXXX")" || die "could not create temp file"
+cleanup() { rm -f "$CURL_CFG"; }
+trap cleanup EXIT INT TERM
+chmod 600 "$CURL_CFG"
+{
+  printf 'header = "Authorization: ApiKey %s"\n' "$API_KEY"
+  printf 'header = "Content-Type: application/json"\n'
+} > "$CURL_CFG"
+
+# ---- API helper ------------------------------------------------------------
+# api <METHOD> <PATH> [json-body]   ->  sets API_BODY and API_CODE
+api() {
+  local method="$1" path="$2" body="${3:-}"
+  local out
+  if [ -n "$body" ]; then
+    out="$(curl -sS --config "$CURL_CFG" -X "$method" "${BASE_URL}${path}" \
+             --data "$body" -w $'\n%{http_code}' 2>&1)"
+  else
+    out="$(curl -sS --config "$CURL_CFG" -X "$method" "${BASE_URL}${path}" \
+             -w $'\n%{http_code}' 2>&1)"
+  fi
+  API_CODE="$(printf '%s' "$out" | tail -n1)"
+  API_BODY="$(printf '%s' "$out" | sed '$d')"
+}
+
+api_ok() { case "$API_CODE" in 2??) return 0 ;; *) return 1 ;; esac; }
+
+# ---- resolve organization --------------------------------------------------
+if [ -z "$ORG_ID" ]; then
+  api GET "/v1/organizations"
+  api_ok || die "could not list organizations (HTTP $API_CODE): $API_BODY"
+  # Accept array, or {data:[...]}, or {organizations:[...]}.
+  org_ids="$(printf '%s' "$API_BODY" | jq -r '
+    (if type=="array" then . elif .data then .data elif .organizations then .organizations else [] end)
+    | .[]?.id // empty')"
+  count="$(printf '%s\n' "$org_ids" | grep -c . || true)"
+  if [ "$count" -eq 1 ]; then
+    ORG_ID="$(printf '%s\n' "$org_ids" | head -n1)"
+  elif [ "$count" -eq 0 ]; then
+    die "no organizations accessible to this API key"
+  else
+    die "API key has access to multiple organizations; specify --organization-id. Found:
+$org_ids"
+  fi
+fi
+echo "Organization : $ORG_ID"
+
+# ---- resolve the Syslog input/component id ---------------------------------
+if [ -z "$INPUT_ID" ]; then
+  api GET "/v2/${ORG_ID}/pipelines/${PIPELINE_ID}"
+  api_ok || die "could not fetch pipeline $PIPELINE_ID (HTTP $API_CODE): $API_BODY"
+  # bash 3.2 (macOS default) has no `mapfile`; read into an array portably.
+  SYS_IDS=()
+  while IFS= read -r _sid; do
+    [ -n "$_sid" ] && SYS_IDS+=("$_sid")
+  done < <(printf '%s' "$API_BODY" | jq -r --arg sub "$SYSLOG_SUBTYPE" \
+    '.nodes[]? | select(.component_type=="input" and .component_sub_type==$sub) | .component_id')
+  if [ "${#SYS_IDS[@]}" -eq 0 ]; then
+    # The pipeline has no Syslog input. Report what input connector(s) it does
+    # have so the user understands why this script can't act on it.
+    present="$(printf '%s' "$API_BODY" | jq -r \
+      '[.nodes[]? | select(.component_type=="input") | .component_sub_type] | unique | join(", ")')"
+    {
+      echo "$PROG: error: pipeline $PIPELINE_ID does not use a Syslog Input Connector."
+      if [ -n "$present" ]; then
+        echo "  Its input connector(s): ${present}"
+      else
+        echo "  It has no input nodes."
+      fi
+      echo
+      echo "This script only configures Syslog inputs (connector id '$SYSLOG_SUBTYPE'),"
+      echo "because the cert_fingerprints routing list is a Syslog-input feature."
+      echo "To fix, do one of:"
+      echo "  - point -p at a pipeline whose input is a Syslog Input Connector;"
+      echo "  - add a Syslog input to this pipeline in the Monad UI, then re-run;"
+      echo "  - pass --input-id <id> to target an existing Syslog input/component directly."
+    } >&2
+    exit 1
+  elif [ "${#SYS_IDS[@]}" -gt 1 ]; then
+    die "pipeline $PIPELINE_ID has multiple Syslog inputs (${SYS_IDS[*]}); pass --input-id to choose one"
+  fi
+  INPUT_ID="${SYS_IDS[0]}"
+fi
+echo "Syslog input : $INPUT_ID"
+
+# ---- read existing input config --------------------------------------------
+api GET "/v1/${ORG_ID}/inputs/${INPUT_ID}"
+api_ok || die "could not fetch input $INPUT_ID (HTTP $API_CODE): $API_BODY"
+EXISTING_SETTINGS="$(printf '%s' "$API_BODY" | jq -c '.config.settings // {}')"
+EXISTING_FPS="$(printf '%s' "$EXISTING_SETTINGS" | jq -c '.cert_fingerprints // []')"
+echo "Existing fingerprints: $(printf '%s' "$EXISTING_FPS" | jq 'length')"
+echo "-----------------------------------------------------------"
+
+# ---- gather fingerprints from devices --------------------------------------
+device_connect() {
+  local host="$1" port="$2"
+  if [ -n "$TIMEOUT_BIN" ]; then
+    "$TIMEOUT_BIN" "$CONNECT_TIMEOUT" \
+      openssl s_client -connect "${host}:${port}" -servername "$host" 2>/dev/null </dev/null
+  else
+    openssl s_client -connect "${host}:${port}" -servername "$host" 2>/dev/null </dev/null
+  fi
+}
+
+NEW_FPS_FILE="$(mktemp "${TMPDIR:-/tmp}/monad-fps.XXXXXX")"
+trap 'rm -f "$CURL_CFG" "$NEW_FPS_FILE"' EXIT INT TERM
+
+total=0; ok=0; failed=0; loaded=0
+
+# Preload any precomputed fingerprints (no TLS probe).
+if [ -n "$HASHES_FILE" ]; then
+  while IFS= read -r hraw || [ -n "$hraw" ]; do
+    h="$(printf '%s' "$hraw" | sed 's/[[:space:]]//g' | tr 'A-F' 'a-f')"
+    [ -z "$h" ] && continue
+    case "$h" in \#*) continue ;; esac
+    if printf '%s' "$h" | grep -qiE '^[0-9a-f]{64}$'; then
+      loaded=$((loaded + 1)); ok=$((ok + 1))
+      printf '%s\n' "$h" >> "$NEW_FPS_FILE"
+    else
+      failed=$((failed + 1))
+      echo "[FAIL] precomputed entry is not 64-char hex: $h"
+    fi
+  done < "$HASHES_FILE"
+  echo "Loaded $loaded precomputed fingerprint(s) from $HASHES_FILE"
+fi
+
+# Probe devices over TLS to compute fingerprints.
+if [ -n "$IP_FILE" ]; then
+  while IFS= read -r raw || [ -n "$raw" ]; do
+    line="$(printf '%s' "$raw" | sed 's/^[[:space:]]*//; s/[[:space:]]*$//')"
+    [ -z "$line" ] && continue
+    case "$line" in \#*) continue ;; esac
+    total=$((total + 1))
+
+    host="${line%%:*}"
+    if [ "$line" != "$host" ]; then port="${line##*:}"; else port="$DEFAULT_PORT"; fi
+
+    sha_hex="$(device_connect "$host" "$port" \
+      | openssl x509 -outform DER 2>/dev/null \
+      | openssl dgst -sha256 2>/dev/null \
+      | sed 's/^.*= *//' | tr 'A-F' 'a-f')"
+
+    if printf '%s' "$sha_hex" | grep -qiE '^[0-9a-f]{64}$'; then
+      ok=$((ok + 1))
+      echo "[ OK ] $host:$port  $sha_hex"
+      printf '%s\n' "$sha_hex" >> "$NEW_FPS_FILE"
+    else
+      failed=$((failed + 1))
+      echo "[FAIL] $host:$port  could not retrieve/parse certificate"
+    fi
+  done < "$IP_FILE"
+fi
+
+echo "-----------------------------------------------------------"
+
+if [ "$ok" -eq 0 ]; then
+  echo "No fingerprints collected; nothing to update."
+  echo "Devices processed : $total"
+  echo "Cert/hash failures: $failed"
+  [ "$failed" -gt 0 ] && exit 1 || exit 0
+fi
+
+NEW_FPS_JSON="$(jq -R 'select(length>0)' < "$NEW_FPS_FILE" | jq -s 'unique')"
+
+if [ "$REPLACE" -eq 1 ]; then
+  FINAL_FPS="$(printf '%s' "$NEW_FPS_JSON" | jq -c 'map(ascii_downcase) | unique')"
+else
+  FINAL_FPS="$(jq -cn --argjson a "$EXISTING_FPS" --argjson b "$NEW_FPS_JSON" \
+    '($a + $b) | map(ascii_downcase) | unique')"
+fi
+
+# Merge into the existing settings object so no other settings are dropped.
+NEW_SETTINGS="$(jq -cn --argjson s "$EXISTING_SETTINGS" --argjson fps "$FINAL_FPS" \
+  '$s + {cert_fingerprints: $fps}')"
+PATCH_BODY="$(jq -cn --arg type "$SYSLOG_SUBTYPE" --argjson settings "$NEW_SETTINGS" \
+  '{type: $type, config: {settings: $settings}}')"
+
+echo "Collected $ok new fingerprint(s); resulting cert_fingerprints count: $(printf '%s' "$FINAL_FPS" | jq 'length')"
+
+if [ "$DRY_RUN" -eq 1 ]; then
+  echo "DRY RUN — would PATCH /v2/${ORG_ID}/inputs/${INPUT_ID} with:"
+  printf '%s\n' "$PATCH_BODY" | jq .
+  echo "Devices processed : $total"
+  echo "Cert/hash failures: $failed"
+  [ "$failed" -gt 0 ] && exit 1 || exit 0
+fi
+
+# ---- write back ------------------------------------------------------------
+api PATCH "/v2/${ORG_ID}/inputs/${INPUT_ID}" "$PATCH_BODY"
+if api_ok; then
+  echo "Updated Syslog input $INPUT_ID (HTTP $API_CODE). cert_fingerprints now: $(printf '%s' "$FINAL_FPS" | jq 'length')"
+else
+  echo "ERROR: failed to update input (HTTP $API_CODE): $API_BODY" >&2
+  echo "Devices processed : $total / hashes: $ok / failures: $failed" >&2
+  exit 1
+fi
+
+echo "Devices processed : $total"
+echo "Fingerprints added: $ok"
+echo "Cert/hash failures: $failed"
+[ "$failed" -gt 0 ] && exit 1 || exit 0

From 792956f0ae2195c8177393182fb62cd1779b0edf Mon Sep 17 00:00:00 2001
From: behobu <kenneth.kaye@monad.com>
Date: Wed, 3 Jun 2026 15:50:27 -0600
Subject: [PATCH 2/5] refactor(scripts): rename TLS cert script to match its
 slug

Rename monad-tls-cert-to-pipeline.sh to tls-cert-to-syslog-input.sh so the
script file name matches its directory slug, and update the in-script header,
usage, and examples plus the README references accordingly.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 scripts/tls-cert-to-syslog-input/README.md             |  8 ++++----
 ...cert-to-pipeline.sh => tls-cert-to-syslog-input.sh} | 10 +++++-----
 2 files changed, 9 insertions(+), 9 deletions(-)
 rename scripts/tls-cert-to-syslog-input/{monad-tls-cert-to-pipeline.sh => tls-cert-to-syslog-input.sh} (97%)

diff --git a/scripts/tls-cert-to-syslog-input/README.md b/scripts/tls-cert-to-syslog-input/README.md
index 57eca5b..0e58dda 100644
--- a/scripts/tls-cert-to-syslog-input/README.md
+++ b/scripts/tls-cert-to-syslog-input/README.md
@@ -1,6 +1,6 @@
 # tls-cert-to-syslog-input
 
-`monad-tls-cert-to-pipeline.sh`
+`tls-cert-to-syslog-input.sh`
 
 ## Purpose
 
@@ -42,19 +42,19 @@ appear in the process list.
 
 ```bash
 export MONAD_API_KEY='...'
-./monad-tls-cert-to-pipeline.sh -f devices.txt -p <pipeline_id>
+./tls-cert-to-syslog-input.sh -f devices.txt -p <pipeline_id>
 ```
 
 Preview without writing:
 
 ```bash
-./monad-tls-cert-to-pipeline.sh -f devices.txt -p <pipeline_id> --dry-run
+./tls-cert-to-syslog-input.sh -f devices.txt -p <pipeline_id> --dry-run
 ```
 
 Bulk-load precomputed fingerprints (skip the TLS probe):
 
 ```bash
-./monad-tls-cert-to-pipeline.sh --hashes-file fingerprints.txt -p <pipeline_id>
+./tls-cert-to-syslog-input.sh --hashes-file fingerprints.txt -p <pipeline_id>
 ```
 
 | Flag | Required | Description |
diff --git a/scripts/tls-cert-to-syslog-input/monad-tls-cert-to-pipeline.sh b/scripts/tls-cert-to-syslog-input/tls-cert-to-syslog-input.sh
similarity index 97%
rename from scripts/tls-cert-to-syslog-input/monad-tls-cert-to-pipeline.sh
rename to scripts/tls-cert-to-syslog-input/tls-cert-to-syslog-input.sh
index 2716215..73fa23b 100755
--- a/scripts/tls-cert-to-syslog-input/monad-tls-cert-to-pipeline.sh
+++ b/scripts/tls-cert-to-syslog-input/tls-cert-to-syslog-input.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# monad-tls-cert-to-pipeline.sh
+# tls-cert-to-syslog-input.sh
 #
 # Registers device TLS-certificate SHA-256 fingerprints on a Monad pipeline's
 # Syslog input, so that sources which CANNOT use SNI can still be routed to the
@@ -29,7 +29,7 @@
 #
 # ---------------------------------------------------------------------------
 # Usage:
-#   monad-tls-cert-to-pipeline.sh -f <ip_file> -p <pipeline_id> [-k <api_key>] [options]
+#   tls-cert-to-syslog-input.sh -f <ip_file> -p <pipeline_id> [-k <api_key>] [options]
 #
 # Input (at least one of):
 #   -f, --file            Input file (one IP, host, or host:port per line); each
@@ -65,7 +65,7 @@
 #
 # Example:
 #   export MONAD_API_KEY='...'
-#   ./monad-tls-cert-to-pipeline.sh -f devices.txt -p <pipeline_id>
+#   ./tls-cert-to-syslog-input.sh -f devices.txt -p <pipeline_id>
 # ---------------------------------------------------------------------------
 
 set -uo pipefail
@@ -109,7 +109,7 @@ Example (devices.txt):
   switch01.corp.example.com
 
 Then re-run, e.g.:
-  ./monad-tls-cert-to-pipeline.sh -f devices.txt -p <pipeline_id>
+  ./tls-cert-to-syslog-input.sh -f devices.txt -p <pipeline_id>
 
 If the file exists but this message mentions permissions, make it readable:
   chmod +r devices.txt
@@ -133,7 +133,7 @@ Example (fingerprints.txt):
   d07b43fd8d3d7aacb95750667417cc81264b60089c72df1a7b0a1862dc791d96
 
 Then re-run, e.g.:
-  ./monad-tls-cert-to-pipeline.sh --hashes-file fingerprints.txt -p <pipeline_id>
+  ./tls-cert-to-syslog-input.sh --hashes-file fingerprints.txt -p <pipeline_id>
 
 If the file exists but this message mentions permissions, make it readable:
   chmod +r fingerprints.txt

From 0faeb42d13d22d4c3faee65f9aaa16cade76b6ef Mon Sep 17 00:00:00 2001
From: behobu <kenneth.kaye@monad.com>
Date: Fri, 5 Jun 2026 11:09:39 -0600
Subject: [PATCH 3/5] chore(license): switch from MIT to Apache 2.0

Replace the MIT license added in this PR with the Apache License 2.0,
retaining the Monad, Inc. copyright notice.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 LICENSE | 223 ++++++++++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 202 insertions(+), 21 deletions(-)

diff --git a/LICENSE b/LICENSE
index bc7b5b7..b0cd8e3 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,21 +1,202 @@
-MIT License
-
-Copyright (c) 2026 Monad, Inc.
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2026 Monad, Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

From 070a6cdb910bbefd934675ce576250fa3d23997a Mon Sep 17 00:00:00 2001
From: behobu <kenneth.kaye@monad.com>
Date: Fri, 5 Jun 2026 11:12:23 -0600
Subject: [PATCH 4/5] chore(license): add Apache 2.0 headers to shell scripts

Add the standard Apache 2.0 source header to the script template and
the TLS cert fingerprint script, and bump the usage() sed anchor so
--help output skips the header and stays unchanged.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 scripts/_template/script.sh                      | 16 +++++++++++++++-
 .../tls-cert-to-syslog-input.sh                  | 16 +++++++++++++++-
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/scripts/_template/script.sh b/scripts/_template/script.sh
index 3221b51..e96ee46 100644
--- a/scripts/_template/script.sh
+++ b/scripts/_template/script.sh
@@ -1,4 +1,18 @@
 #!/usr/bin/env bash
+# Copyright 2026 Monad, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 #
 # <script-name>.sh
 #
@@ -27,7 +41,7 @@ API_KEY="${MONAD_API_KEY:-}"
 BASE_URL="https://app.monad.com/api"
 PROG="$(basename "$0")"
 
-usage() { sed -n '2,/^# ----/p' "$0" | sed 's/^# \{0,1\}//; s/^#//'; }
+usage() { sed -n '16,/^# ----/p' "$0" | sed 's/^# \{0,1\}//; s/^#//'; }
 die()   { echo "$PROG: error: $*" >&2; exit 1; }
 
 # ---- arg parsing -----------------------------------------------------------
diff --git a/scripts/tls-cert-to-syslog-input/tls-cert-to-syslog-input.sh b/scripts/tls-cert-to-syslog-input/tls-cert-to-syslog-input.sh
index 73fa23b..25d434a 100755
--- a/scripts/tls-cert-to-syslog-input/tls-cert-to-syslog-input.sh
+++ b/scripts/tls-cert-to-syslog-input/tls-cert-to-syslog-input.sh
@@ -1,4 +1,18 @@
 #!/usr/bin/env bash
+# Copyright 2026 Monad, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 #
 # tls-cert-to-syslog-input.sh
 #
@@ -86,7 +100,7 @@ DRY_RUN=0
 SYSLOG_SUBTYPE="monad-syslog"
 PROG="$(basename "$0")"
 
-usage() { sed -n '2,/^# ----/p' "$0" | sed 's/^# \{0,1\}//; s/^#//'; }
+usage() { sed -n '16,/^# ----/p' "$0" | sed 's/^# \{0,1\}//; s/^#//'; }
 die()   { echo "$PROG: error: $*" >&2; exit 1; }
 
 # Printed whenever the --file IP list can't be read, so the user knows the

From 4d8d578400d9fed580cc8ba9c2aa110332cb5760 Mon Sep 17 00:00:00 2001
From: behobu <kenneth.kaye@monad.com>
Date: Fri, 5 Jun 2026 11:14:51 -0600
Subject: [PATCH 5/5] fix(scripts): make usage() anchors pattern-based and
 print full help
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous usage() implementation was doubly broken: it anchored the
doc block at a hard-coded line number (which silently breaks when the
header grows or shrinks), and it ended at the FIRST '# ----' divider,
which sits before the Usage section — so --help never actually printed
the usage and options text.

Anchor on structure instead: print from the first blank line (end of
the license header) up to the first line of code. --help output now
includes the full Usage, options, and examples sections.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 scripts/_template/script.sh                                  | 5 +++--
 scripts/tls-cert-to-syslog-input/tls-cert-to-syslog-input.sh | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/scripts/_template/script.sh b/scripts/_template/script.sh
index e96ee46..70791ae 100644
--- a/scripts/_template/script.sh
+++ b/scripts/_template/script.sh
@@ -13,7 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-#
 # <script-name>.sh
 #
 # <One-line summary of what this script does.>
@@ -41,7 +40,9 @@ API_KEY="${MONAD_API_KEY:-}"
 BASE_URL="https://app.monad.com/api"
 PROG="$(basename "$0")"
 
-usage() { sed -n '16,/^# ----/p' "$0" | sed 's/^# \{0,1\}//; s/^#//'; }
+# --help prints the doc block above: from the first blank line (end of the
+# license header) up to the first line of code, with comment markers stripped.
+usage() { awk '!/^(#|$)/{exit} /^$/{f=1} f' "$0" | sed 's/^# \{0,1\}//; s/^#//'; }
 die()   { echo "$PROG: error: $*" >&2; exit 1; }
 
 # ---- arg parsing -----------------------------------------------------------
diff --git a/scripts/tls-cert-to-syslog-input/tls-cert-to-syslog-input.sh b/scripts/tls-cert-to-syslog-input/tls-cert-to-syslog-input.sh
index 25d434a..3871bb0 100755
--- a/scripts/tls-cert-to-syslog-input/tls-cert-to-syslog-input.sh
+++ b/scripts/tls-cert-to-syslog-input/tls-cert-to-syslog-input.sh
@@ -13,7 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-#
 # tls-cert-to-syslog-input.sh
 #
 # Registers device TLS-certificate SHA-256 fingerprints on a Monad pipeline's
@@ -100,7 +99,9 @@ DRY_RUN=0
 SYSLOG_SUBTYPE="monad-syslog"
 PROG="$(basename "$0")"
 
-usage() { sed -n '16,/^# ----/p' "$0" | sed 's/^# \{0,1\}//; s/^#//'; }
+# --help prints the doc block above: from the first blank line (end of the
+# license header) up to the first line of code, with comment markers stripped.
+usage() { awk '!/^(#|$)/{exit} /^$/{f=1} f' "$0" | sed 's/^# \{0,1\}//; s/^#//'; }
 die()   { echo "$PROG: error: $*" >&2; exit 1; }
 
 # Printed whenever the --file IP list can't be read, so the user knows the