@appfleet-cli/cli 0.1.0

package/dist/demo-fixture.d.ts

@@ -0,0 +1,11 @@
+import type { CredentialBlobEnvelope, KeyWrapperEnvelope } from "@appfleet/crypto";
+export type PrototypeSecretFixture = {
+    project: string;
+    environment: string;
+    alias: string;
+    workspaceId: string;
+    masterPassword: string;
+    credentialEnvelope: CredentialBlobEnvelope;
+    keyWrapperEnvelope: KeyWrapperEnvelope;
+};
+export declare const demoSecretFixture: PrototypeSecretFixture;

package/dist/demo-fixture.js

@@ -0,0 +1,39 @@
+export const demoSecretFixture = {
+    project: "demo-project",
+    environment: "dev",
+    alias: "APPFLEET_DEMO_SECRET",
+    workspaceId: "workspace_demo_local",
+    masterPassword: "appfleet-demo-master-password",
+    credentialEnvelope: {
+        type: "credential_blob",
+        envelopeVersion: 1,
+        algorithmId: "xchacha20poly1305-ietf",
+        workspaceId: "workspace_demo_local",
+        recordId: "credential_demo_openai_api_key",
+        keyGenerationId: "kg_demo_2026_05_27",
+        nonce: "28X7GCBkU0v_JBgrRSezamOlQxT4AU4L",
+        ciphertext: "U-TuenGLVQbs857WEf8qkWsGN4X9Ro6wEsUzbLkj7E4HHP3Ai-uO-qOm",
+        createdAt: "2026-05-27T12:00:00.000Z",
+    },
+    keyWrapperEnvelope: {
+        type: "key_wrapper",
+        envelopeVersion: 1,
+        algorithmId: "xchacha20poly1305-ietf",
+        workspaceId: "workspace_demo_local",
+        wrapperId: "wrapper_demo_master_password",
+        wrappedKeyId: "workspace_vault_key_demo_1",
+        keyGenerationId: "kg_demo_2026_05_27",
+        nonce: "z2SmjwlZyrdgrr1xwgdCWSmJLvuTPUPM",
+        salt: "hpcmtZiQE6tUpmjswhuxlg",
+        kdf: {
+            name: "argon2id",
+            algorithm: "argon2id13",
+            memoryBytes: 67108864,
+            operations: 3,
+            parallelism: 1,
+            outputBytes: 32,
+        },
+        ciphertext: "6MSTR3-VBVB52MXKu0E22lmiGKkEiHB2OVuf1i2mwcTpu7uvjmMuNgnvfUDeVbvO",
+        createdAt: "2026-05-27T12:00:00.000Z",
+    },
+};

package/dist/generate-cli-docs.d.ts

@@ -0,0 +1 @@
+export declare function renderCliDocs(): string;

package/dist/generate-cli-docs.js

@@ -0,0 +1,94 @@
+import { readFile, writeFile } from "node:fs/promises";
+import { resolve } from "node:path";
+import { cliCommandDocs } from "./command-registry.js";
+const docsPath = resolve(process.cwd(), "..", "..", "docs", "cli.md");
+export function renderCliDocs() {
+    const lines = [
+        "# AppFleet CLI Reference",
+        "",
+        "This file is generated from the CLI command registry.",
+        "",
+        "Run `pnpm --filter @appfleet-cli/cli docs:generate` after changing command metadata.",
+        "",
+        "The CLI is the production local execution boundary for AppFleet. It handles local unlock, decrypt, and secret injection on the user's machine, while hosted auth, cloud metadata sync, provider contracts, and audit flows are explicit, authenticated, and secret-safe.",
+        "",
+    ];
+    for (const command of cliCommandDocs) {
+        lines.push(`## ${command.namespace} ${command.name}`);
+        lines.push("");
+        lines.push(command.summary);
+        lines.push("");
+        lines.push("### Usage");
+        lines.push("");
+        lines.push("```sh");
+        lines.push(command.usage);
+        lines.push("```");
+        lines.push("");
+        if (command.arguments.length > 0) {
+            lines.push("### Arguments");
+            lines.push("");
+            for (const argument of command.arguments) {
+                lines.push(`- ${argument}`);
+            }
+            lines.push("");
+        }
+        if (command.options.length > 0) {
+            lines.push("### Options");
+            lines.push("");
+            for (const option of command.options) {
+                lines.push(`- \`${option.flags}\`: ${option.description}`);
+            }
+            lines.push("");
+        }
+        if (command.examples.length > 0) {
+            lines.push("### Examples");
+            lines.push("");
+            lines.push("```sh");
+            lines.push(...command.examples);
+            lines.push("```");
+            lines.push("");
+        }
+        if (command.reads.length > 0) {
+            lines.push("### Reads");
+            lines.push("");
+            for (const value of command.reads) {
+                lines.push(`- ${value}`);
+            }
+            lines.push("");
+        }
+        if (command.writes.length > 0) {
+            lines.push("### Writes");
+            lines.push("");
+            for (const value of command.writes) {
+                lines.push(`- ${value}`);
+            }
+            lines.push("");
+        }
+        lines.push("### Secret Safety");
+        lines.push("");
+        for (const value of command.secretSafety) {
+            lines.push(`- ${value}`);
+        }
+        lines.push("");
+    }
+    return `${lines.join("\n").trimEnd()}\n`;
+}
+async function main() {
+    const mode = process.argv.includes("--check") ? "check" : "generate";
+    const rendered = renderCliDocs();
+    if (mode === "check") {
+        const current = await readFile(docsPath, "utf8");
+        if (current !== rendered) {
+            process.stderr.write("AppFleet CLI docs are stale. Run `pnpm --filter @appfleet-cli/cli docs:generate`.\n");
+            return 1;
+        }
+        process.stdout.write("AppFleet CLI docs are current.\n");
+        return 0;
+    }
+    await writeFile(docsPath, rendered);
+    process.stdout.write(`Generated ${docsPath}\n`);
+    return 0;
+}
+if (import.meta.url === `file://${process.argv[1]}`) {
+    process.exitCode = await main();
+}

package/dist/health.d.ts

@@ -0,0 +1,8 @@
+export type HealthCommandResult = {
+    exitCode: number;
+    stdout: string;
+    stderr: string;
+};
+export declare function runHealthCommand(argv: string[], options?: {
+    now?: () => Date;
+}): Promise<HealthCommandResult>;

package/dist/health.js

@@ -0,0 +1,60 @@
+import { createCronHeartbeatContract, createHealthSchedulerContract, } from "@appfleet/domain";
+export async function runHealthCommand(argv, options = {}) {
+    const normalizedArgv = argv[0] === "--" ? argv.slice(1) : argv;
+    if (normalizedArgv[0] !== "health" || normalizedArgv[1] !== "schedule") {
+        return {
+            exitCode: 1,
+            stdout: "",
+            stderr: "AppFleet health failed: usage: health schedule [--workspace <workspace-id>] [--json]\n",
+        };
+    }
+    const workspaceId = readFlag(normalizedArgv, "--workspace") ?? "workspace_local";
+    const now = (options.now ?? (() => new Date()))().toISOString();
+    const scheduler = createHealthSchedulerContract({
+        workspaceId,
+        scheduleId: "stored_public_health",
+        cadence: "manual",
+    });
+    const cronHeartbeat = createCronHeartbeatContract({
+        workspaceId,
+        scheduleId: scheduler.scheduleId,
+        heartbeatId: "stored_public_health_heartbeat",
+        expectedEveryMinutes: 24 * 60,
+        now,
+    });
+    const document = {
+        type: "health_schedule_contract_result",
+        version: 1,
+        scheduler,
+        cronHeartbeat,
+        providerApiCallsMade: false,
+        envFilesRead: false,
+        containsCredentialValues: false,
+        containsProviderPayload: false,
+        trustBoundary: scheduler.trustBoundary,
+    };
+    return {
+        exitCode: 0,
+        stdout: normalizedArgv.includes("--json")
+            ? `${JSON.stringify(document, null, 2)}\n`
+            : `${[
+                "AppFleet health schedule: safe scheduler contract ready.",
+                `workspaceId=${workspaceId}`,
+                `scheduleId=${scheduler.scheduleId}`,
+                `cadence=${scheduler.cadence}`,
+                `heartbeatStatus=${cronHeartbeat.status}`,
+                "providerApiCallsMade=false",
+                "envFilesRead=false",
+                "trustBoundary:",
+                ...scheduler.trustBoundary.map((item) => `- ${item}`),
+            ].join("\n")}\n`,
+        stderr: "",
+    };
+}
+function readFlag(argv, flag) {
+    const index = argv.indexOf(flag);
+    if (index === -1) {
+        return undefined;
+    }
+    return argv[index + 1];
+}

package/dist/local-vault.d.ts

@@ -0,0 +1,75 @@
+import { type AppCredentialStatus, type AppOsKeychainIntegrationMetadata } from "@appfleet/domain";
+type ParsedLocalVaultCommand = {
+    action: "vault-init";
+    workspaceId: string;
+    masterPassword?: string;
+} | {
+    action: "vault-unlock";
+    masterPassword?: string;
+} | {
+    action: "vault-change-password";
+    masterPassword?: string;
+    newMasterPassword?: string;
+} | {
+    action: "vault-recovery-generate";
+    masterPassword?: string;
+    recoveryKey?: string;
+} | {
+    action: "vault-recovery-unlock";
+    recoveryKey?: string;
+} | {
+    action: "vault-recovery-rotate";
+    masterPassword?: string;
+    recoveryKey?: string;
+} | {
+    action: "vault-recovery-kit";
+} | {
+    action: "vault-device-key-register";
+    deviceId: string;
+    deviceLabel: string;
+} | {
+    action: "vault-keychain-status";
+    provider?: AppOsKeychainIntegrationMetadata["provider"];
+} | {
+    action: "secrets-set";
+    project: string;
+    environment: string;
+    alias: string;
+    label?: string;
+    status: AppCredentialStatus;
+    value?: string;
+    masterPassword?: string;
+} | {
+    action: "secrets-list";
+    project: string;
+    environment?: string;
+} | {
+    action: "secrets-inject";
+    project: string;
+    environment: string;
+    masterPassword?: string;
+    command: string;
+    args: string[];
+} | {
+    action: "secrets-upload";
+    outputPath?: string;
+} | {
+    action: "secrets-download";
+    inputPath?: string;
+};
+export type LocalVaultCommandResult = {
+    exitCode: number;
+    stdout: string;
+    stderr: string;
+    childStarted?: boolean;
+    auditId?: string;
+};
+export type LocalVaultCommandOptions = {
+    vaultPath?: string;
+    auditPath?: string;
+    now?: () => Date;
+    env?: NodeJS.ProcessEnv;
+};
+export declare function parseLocalVaultCommand(argv: string[]): ParsedLocalVaultCommand;
+export declare function runLocalVaultCommand(argv: string[], options?: LocalVaultCommandOptions): Promise<LocalVaultCommandResult>;
+export {};