@matthesketh/fleet 1.0.0

package/dist/core/health.js

@@ -0,0 +1,56 @@
+import { exec } from './exec.js';
+import { getServiceStatus, getMultipleServiceStatuses, systemdAvailable } from './systemd.js';
+import { listContainers } from './docker.js';
+export function checkHealth(app, prefetched) {
+    const systemd = prefetched !== undefined
+        ? prefetched.serviceStatus
+        : (systemdAvailable() ? getServiceStatus(app.serviceName) : null);
+    const allContainers = prefetched !== undefined
+        ? prefetched.containers
+        : listContainers();
+    const containers = app.containers.map(name => {
+        const c = allContainers.find(ac => ac.name === name);
+        return {
+            name,
+            running: c !== undefined && c.status.startsWith('Up'),
+            health: c?.health ?? 'not found',
+        };
+    });
+    let http = null;
+    if (app.port) {
+        http = checkHttp(app.port, app.healthPath);
+    }
+    const systemdOk = systemd ? systemd.active : true; // skip if unavailable
+    const containersOk = containers.length > 0 && containers.every(c => c.running);
+    const httpOk = http === null || http.ok;
+    const overall = systemdOk && containersOk && httpOk ? 'healthy'
+        : !containersOk ? 'down'
+            : 'degraded';
+    return {
+        app: app.name,
+        systemd: { ok: systemd?.active ?? false, state: systemd?.state ?? 'n/a' },
+        containers,
+        http,
+        overall,
+    };
+}
+export function checkHttp(port, healthPath) {
+    const path = healthPath ?? '/health';
+    const result = exec(`curl -s -o /dev/null -w "%{http_code}" --max-time 5 http://127.0.0.1:${port}${path}`, { timeout: 10_000 });
+    const status = parseInt(result.stdout, 10);
+    if (!isNaN(status) && status > 0) {
+        return { ok: status >= 200 && status < 500, status, error: null };
+    }
+    return { ok: false, status: null, error: result.stderr || 'Connection failed' };
+}
+export function checkAllHealth(apps) {
+    const allContainers = listContainers();
+    const hasSystemd = systemdAvailable();
+    const serviceStatuses = hasSystemd
+        ? getMultipleServiceStatuses(apps.map(a => a.serviceName))
+        : new Map();
+    return apps.map(app => checkHealth(app, {
+        containers: allContainers,
+        serviceStatus: serviceStatuses.get(app.serviceName) ?? null,
+    }));
+}

package/dist/core/nginx.d.ts

@@ -0,0 +1,17 @@
+export interface NginxSite {
+    domain: string;
+    configFile: string;
+    enabled: boolean;
+    ssl: boolean;
+}
+export declare function listSites(): NginxSite[];
+export declare function installConfig(domain: string, content: string): void;
+export declare function removeConfig(domain: string): boolean;
+export declare function testConfig(): {
+    ok: boolean;
+    output: string;
+};
+export declare function reload(): boolean;
+export declare function readConfig(domain: string): string | null;
+export declare function extractPortFromConfig(content: string): number | null;
+export declare function extractDomainsFromConfig(content: string): string[];

package/dist/core/nginx.js

@@ -0,0 +1,59 @@
+import { existsSync, readdirSync, readFileSync, unlinkSync, writeFileSync } from 'node:fs';
+import { exec } from './exec.js';
+const SITES_AVAILABLE = '/etc/nginx/sites-available';
+const SITES_ENABLED = '/etc/nginx/sites-enabled';
+export function listSites() {
+    if (!existsSync(SITES_AVAILABLE))
+        return [];
+    const files = readdirSync(SITES_AVAILABLE).filter(f => f.endsWith('.conf') && !f.startsWith('default'));
+    return files.map(file => {
+        const content = readFileSync(`${SITES_AVAILABLE}/${file}`, 'utf-8');
+        const domain = file.replace('.conf', '');
+        const enabled = existsSync(`${SITES_ENABLED}/${file}`);
+        const ssl = content.includes('ssl_certificate') || content.includes('listen 443');
+        return { domain, configFile: file, enabled, ssl };
+    });
+}
+export function installConfig(domain, content) {
+    const filename = `${domain}.conf`;
+    writeFileSync(`${SITES_AVAILABLE}/${filename}`, content);
+    const enabledPath = `${SITES_ENABLED}/${filename}`;
+    if (!existsSync(enabledPath)) {
+        exec(`ln -sf ${SITES_AVAILABLE}/${filename} ${enabledPath}`);
+    }
+}
+export function removeConfig(domain) {
+    const filename = `${domain}.conf`;
+    const available = `${SITES_AVAILABLE}/${filename}`;
+    const enabled = `${SITES_ENABLED}/${filename}`;
+    if (existsSync(enabled))
+        unlinkSync(enabled);
+    if (existsSync(available)) {
+        unlinkSync(available);
+        return true;
+    }
+    return false;
+}
+export function testConfig() {
+    const result = exec('nginx -t 2>&1', { timeout: 10_000 });
+    return { ok: result.ok || result.stderr.includes('successful'), output: result.stderr || result.stdout };
+}
+export function reload() {
+    return exec('systemctl reload nginx', { timeout: 10_000 }).ok;
+}
+export function readConfig(domain) {
+    const path = `${SITES_AVAILABLE}/${domain}.conf`;
+    if (!existsSync(path))
+        return null;
+    return readFileSync(path, 'utf-8');
+}
+export function extractPortFromConfig(content) {
+    const match = content.match(/proxy_pass\s+https?:\/\/(?:127\.0\.0\.1|localhost):(\d+)/);
+    return match ? parseInt(match[1], 10) : null;
+}
+export function extractDomainsFromConfig(content) {
+    const match = content.match(/server_name\s+([^;]+);/);
+    if (!match)
+        return [];
+    return match[1].split(/\s+/).filter(d => d && d !== '_');
+}

package/dist/core/registry.d.ts

@@ -0,0 +1,38 @@
+export interface AppEntry {
+    name: string;
+    displayName: string;
+    composePath: string;
+    composeFile: string | null;
+    serviceName: string;
+    domains: string[];
+    port: number | null;
+    usesSharedDb: boolean;
+    type: 'spa' | 'proxy' | 'nextjs' | 'service';
+    containers: string[];
+    dependsOnDatabases: boolean;
+    healthPath?: string;
+    secretsManaged?: boolean;
+    gitRepo?: string;
+    gitRemoteUrl?: string;
+    gitOnboardedAt?: string;
+    registeredAt: string;
+}
+export interface Registry {
+    version: number;
+    apps: AppEntry[];
+    infrastructure: {
+        databases: {
+            serviceName: string;
+            composePath: string;
+        };
+        nginx: {
+            configPath: string;
+        };
+    };
+}
+export declare function load(): Registry;
+export declare function save(reg: Registry): void;
+export declare function findApp(reg: Registry, name: string): AppEntry | undefined;
+export declare function addApp(reg: Registry, app: AppEntry): Registry;
+export declare function removeApp(reg: Registry, name: string): Registry;
+export declare function registryPath(): string;

package/dist/core/registry.js

@@ -0,0 +1,47 @@
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const REGISTRY_PATH = join(__dirname, '..', '..', 'data', 'registry.json');
+function defaultRegistry() {
+    return {
+        version: 1,
+        apps: [],
+        infrastructure: {
+            databases: { serviceName: 'docker-databases', composePath: '/home/matt/docker-databases' },
+            nginx: { configPath: '/etc/nginx' },
+        },
+    };
+}
+export function load() {
+    if (!existsSync(REGISTRY_PATH))
+        return defaultRegistry();
+    const raw = readFileSync(REGISTRY_PATH, 'utf-8');
+    return JSON.parse(raw);
+}
+export function save(reg) {
+    const dir = dirname(REGISTRY_PATH);
+    if (!existsSync(dir))
+        mkdirSync(dir, { recursive: true });
+    writeFileSync(REGISTRY_PATH, JSON.stringify(reg, null, 2) + '\n');
+}
+export function findApp(reg, name) {
+    return reg.apps.find(a => a.name === name || a.serviceName === name || a.displayName.toLowerCase() === name.toLowerCase());
+}
+export function addApp(reg, app) {
+    const existing = reg.apps.findIndex(a => a.name === app.name);
+    if (existing >= 0) {
+        reg.apps[existing] = app;
+    }
+    else {
+        reg.apps.push(app);
+    }
+    return reg;
+}
+export function removeApp(reg, name) {
+    reg.apps = reg.apps.filter(a => a.name !== name);
+    return reg;
+}
+export function registryPath() {
+    return REGISTRY_PATH;
+}

package/dist/core/secrets-ops.d.ts

@@ -0,0 +1,37 @@
+export interface SealValidation {
+    added: string[];
+    removed: string[];
+    unchanged: string[];
+}
+export declare function validateBeforeSeal(app: string, newContent: string): SealValidation;
+export declare function safeSealApp(app: string, content: string, sourceFile: string): SealValidation;
+export declare function safeSealDbSecrets(app: string, secretsMap: Record<string, string>, sourceDir: string): SealValidation;
+export declare function setSecret(app: string, key: string, value: string): void;
+export declare function getSecret(app: string, key: string): string | null;
+export declare function importEnvFile(app: string, path: string): number;
+export declare function importDbSecrets(app: string, dir: string): number;
+export declare function exportApp(app: string): string;
+export interface DriftResult {
+    app: string;
+    status: 'in-sync' | 'drifted' | 'missing-runtime';
+    addedKeys: string[];
+    removedKeys: string[];
+    changedKeys: string[];
+}
+export declare function detectDrift(app?: string): DriftResult[];
+export declare function unsealAll(): void;
+export declare function sealFromRuntime(app?: string): string[];
+export declare function rotateKey(): {
+    oldPubkey: string;
+    newPubkey: string;
+    appsRotated: string[];
+};
+export declare function getStatus(): {
+    initialized: boolean;
+    sealed: boolean;
+    keyPath: string;
+    vaultDir: string;
+    runtimeDir: string;
+    appCount: number;
+    totalKeys: number;
+};

package/dist/core/secrets-ops.js

@@ -0,0 +1,331 @@
+import { existsSync, readFileSync, writeFileSync, readdirSync, chmodSync, mkdirSync, rmSync, statSync } from 'node:fs';
+import { join } from 'node:path';
+import { execSync } from 'node:child_process';
+import { validateAll } from './secrets-validate.js';
+import { SecretsError } from './errors.js';
+import { KEY_PATH, VAULT_DIR, RUNTIME_DIR, loadManifest, saveManifest, decryptApp, parseSecretsBundle, sealApp, sealDbSecrets, ageEncrypt, ageDecryptFile, getPublicKey, isInitialized, isSealed, backupVaultFile, restoreVaultFile, removeBackup, } from './secrets.js';
+// --- Helpers ---
+function parseEnvKeys(content) {
+    return content.split('\n')
+        .filter(l => l.includes('=') && !l.startsWith('#') && l.trim())
+        .map(l => l.substring(0, l.indexOf('=')));
+}
+export function validateBeforeSeal(app, newContent) {
+    const manifest = loadManifest();
+    const entry = manifest.apps[app];
+    // New app — no previous data to compare
+    if (!entry)
+        return { added: parseEnvKeys(newContent), removed: [], unchanged: [] };
+    const oldPlaintext = decryptApp(app);
+    let oldKeys;
+    let newKeys;
+    if (entry.type === 'env') {
+        oldKeys = parseEnvKeys(oldPlaintext);
+        newKeys = parseEnvKeys(newContent);
+    }
+    else {
+        oldKeys = Object.keys(parseSecretsBundle(oldPlaintext));
+        newKeys = Object.keys(parseSecretsBundle(newContent));
+    }
+    const oldSet = new Set(oldKeys);
+    const newSet = new Set(newKeys);
+    const added = newKeys.filter(k => !oldSet.has(k));
+    const removed = oldKeys.filter(k => !newSet.has(k));
+    const unchanged = oldKeys.filter(k => newSet.has(k));
+    // Reject if >50% of keys would be dropped (protects against accidental wipes)
+    if (oldKeys.length > 0 && removed.length > oldKeys.length * 0.5) {
+        throw new SecretsError(`Seal rejected for ${app}: would remove ${removed.length}/${oldKeys.length} keys (${removed.join(', ')}). ` +
+            `This looks like an accidental wipe. Use importEnvFile to force-replace.`);
+    }
+    return { added, removed, unchanged };
+}
+// --- Phase 8: Safe seal wrappers ---
+export function safeSealApp(app, content, sourceFile) {
+    const validation = validateBeforeSeal(app, content);
+    backupVaultFile(app);
+    try {
+        sealApp(app, content, sourceFile);
+        removeBackup(app);
+    }
+    catch (err) {
+        restoreVaultFile(app);
+        throw err;
+    }
+    return validation;
+}
+export function safeSealDbSecrets(app, secretsMap, sourceDir) {
+    // Build the bundle content for validation
+    const SECRET_DELIMITER = '---SECRET:';
+    const filenames = Object.keys(secretsMap).sort();
+    const parts = filenames.map(f => `${SECRET_DELIMITER}${f}---\n${secretsMap[f]}`);
+    const bundleContent = parts.join('\n');
+    const validation = validateBeforeSeal(app, bundleContent);
+    backupVaultFile(app);
+    try {
+        sealDbSecrets(app, secretsMap, sourceDir);
+        removeBackup(app);
+    }
+    catch (err) {
+        restoreVaultFile(app);
+        throw err;
+    }
+    return validation;
+}
+export function setSecret(app, key, value) {
+    const plaintext = decryptApp(app);
+    const manifest = loadManifest();
+    const entry = manifest.apps[app];
+    if (entry.type !== 'env')
+        throw new SecretsError(`Cannot set key/value on secrets-dir type for ${app}`);
+    const lines = plaintext.split('\n');
+    let found = false;
+    const updated = lines.map(line => {
+        const eqIdx = line.indexOf('=');
+        if (eqIdx > 0 && line.substring(0, eqIdx) === key) {
+            found = true;
+            return `${key}=${value}`;
+        }
+        return line;
+    });
+    if (!found)
+        updated.push(`${key}=${value}`);
+    safeSealApp(app, updated.join('\n'), entry.sourceFile);
+}
+export function getSecret(app, key) {
+    const plaintext = decryptApp(app);
+    const manifest = loadManifest();
+    const entry = manifest.apps[app];
+    if (entry.type === 'env') {
+        for (const line of plaintext.split('\n')) {
+            const eqIdx = line.indexOf('=');
+            if (eqIdx > 0 && line.substring(0, eqIdx) === key) {
+                return line.substring(eqIdx + 1);
+            }
+        }
+        return null;
+    }
+    const files = parseSecretsBundle(plaintext);
+    return files[key] ?? null;
+}
+export function importEnvFile(app, path) {
+    if (!existsSync(path))
+        throw new SecretsError(`File not found: ${path}`);
+    const content = readFileSync(path, 'utf-8');
+    // importEnvFile is an explicit replace — bypass validation, but still backup
+    backupVaultFile(app);
+    try {
+        sealApp(app, content, path);
+        removeBackup(app);
+    }
+    catch (err) {
+        restoreVaultFile(app);
+        throw err;
+    }
+    const manifest = loadManifest();
+    return manifest.apps[app].keyCount;
+}
+export function importDbSecrets(app, dir) {
+    if (!existsSync(dir))
+        throw new SecretsError(`Directory not found: ${dir}`);
+    const stat = statSync(dir);
+    if (!stat.isDirectory())
+        throw new SecretsError(`Not a directory: ${dir}`);
+    const files = readdirSync(dir).filter(f => !f.startsWith('.'));
+    const secretsMap = {};
+    for (const file of files) {
+        secretsMap[file] = readFileSync(join(dir, file), 'utf-8');
+    }
+    // importDbSecrets is an explicit replace — bypass validation, but still backup
+    backupVaultFile(app);
+    try {
+        sealDbSecrets(app, secretsMap, dir);
+        removeBackup(app);
+    }
+    catch (err) {
+        restoreVaultFile(app);
+        throw err;
+    }
+    return files.length;
+}
+export function exportApp(app) {
+    return decryptApp(app);
+}
+export function detectDrift(app) {
+    const manifest = loadManifest();
+    const apps = app ? [app] : Object.keys(manifest.apps);
+    const results = [];
+    for (const a of apps) {
+        const entry = manifest.apps[a];
+        if (!entry) {
+            results.push({ app: a, status: 'missing-runtime', addedKeys: [], removedKeys: [], changedKeys: [] });
+            continue;
+        }
+        if (entry.type === 'env') {
+            const runtimePath = join(RUNTIME_DIR, a, '.env');
+            if (!existsSync(runtimePath)) {
+                results.push({ app: a, status: 'missing-runtime', addedKeys: [], removedKeys: [], changedKeys: [] });
+                continue;
+            }
+            const vaultPlaintext = decryptApp(a);
+            const runtimeContent = readFileSync(runtimePath, 'utf-8');
+            const vaultMap = parseEnvMap(vaultPlaintext);
+            const runtimeMap = parseEnvMap(runtimeContent);
+            const addedKeys = Object.keys(runtimeMap).filter(k => !(k in vaultMap));
+            const removedKeys = Object.keys(vaultMap).filter(k => !(k in runtimeMap));
+            const changedKeys = Object.keys(vaultMap).filter(k => k in runtimeMap && vaultMap[k] !== runtimeMap[k]);
+            const status = (addedKeys.length || removedKeys.length || changedKeys.length) ? 'drifted' : 'in-sync';
+            results.push({ app: a, status, addedKeys, removedKeys, changedKeys });
+        }
+        else {
+            const runtimeDir = join(RUNTIME_DIR, a, 'secrets');
+            if (!existsSync(runtimeDir)) {
+                results.push({ app: a, status: 'missing-runtime', addedKeys: [], removedKeys: [], changedKeys: [] });
+                continue;
+            }
+            const vaultPlaintext = decryptApp(a);
+            const vaultFiles = parseSecretsBundle(vaultPlaintext);
+            const runtimeFiles = readdirSync(runtimeDir);
+            const runtimeMap = {};
+            for (const f of runtimeFiles) {
+                runtimeMap[f] = readFileSync(join(runtimeDir, f), 'utf-8');
+            }
+            const addedKeys = runtimeFiles.filter(f => !(f in vaultFiles));
+            const removedKeys = Object.keys(vaultFiles).filter(f => !(f in runtimeMap));
+            const changedKeys = Object.keys(vaultFiles).filter(f => f in runtimeMap && vaultFiles[f] !== runtimeMap[f]);
+            const status = (addedKeys.length || removedKeys.length || changedKeys.length) ? 'drifted' : 'in-sync';
+            results.push({ app: a, status, addedKeys, removedKeys, changedKeys });
+        }
+    }
+    return results;
+}
+function parseEnvMap(content) {
+    const map = {};
+    for (const line of content.split('\n')) {
+        if (!line.trim() || line.startsWith('#'))
+            continue;
+        const eqIdx = line.indexOf('=');
+        if (eqIdx > 0) {
+            map[line.substring(0, eqIdx)] = line.substring(eqIdx + 1);
+        }
+    }
+    return map;
+}
+// --- Phase 4: Improved unseal (validate before write) ---
+export function unsealAll() {
+    const manifest = loadManifest();
+    // Phase 4: Decrypt all apps first and validate BEFORE writing to runtime
+    const decrypted = {};
+    for (const [app, entry] of Object.entries(manifest.apps)) {
+        decrypted[app] = ageDecryptFile(join(VAULT_DIR, entry.encryptedFile));
+    }
+    // Validate before writing — catch missing secrets before runtime gets partial data
+    const results = validateAll();
+    let hasMissing = false;
+    for (const r of results) {
+        if (r.missing.length > 0) {
+            process.stderr.write(`[fleet-unseal] ERROR: ${r.app} missing secrets: ${r.missing.join(', ')}\n`);
+            hasMissing = true;
+        }
+    }
+    if (hasMissing) {
+        throw new SecretsError('Unseal aborted — some secrets are missing from the vault. Runtime was NOT modified. Run "fleet secrets validate" for details.');
+    }
+    // All valid — now write to runtime
+    if (!existsSync(RUNTIME_DIR)) {
+        mkdirSync(RUNTIME_DIR, { mode: 0o700, recursive: true });
+    }
+    for (const [app, entry] of Object.entries(manifest.apps)) {
+        const plaintext = decrypted[app];
+        if (entry.type === 'env') {
+            const appDir = join(RUNTIME_DIR, app);
+            if (!existsSync(appDir))
+                mkdirSync(appDir, { recursive: true, mode: 0o700 });
+            const envPath = join(appDir, '.env');
+            writeFileSync(envPath, plaintext);
+            chmodSync(envPath, 0o600);
+        }
+        else if (entry.type === 'secrets-dir') {
+            const secretsDir = join(RUNTIME_DIR, app, 'secrets');
+            if (!existsSync(secretsDir))
+                mkdirSync(secretsDir, { recursive: true, mode: 0o755 });
+            const parsed = parseSecretsBundle(plaintext);
+            for (const [filename, content] of Object.entries(parsed)) {
+                const fpath = join(secretsDir, filename);
+                writeFileSync(fpath, content);
+                // 0644: docker compose secrets bind-mounts files into containers where
+                // non-root processes (e.g. mongodb uid 999) need read access
+                chmodSync(fpath, 0o644);
+            }
+        }
+    }
+}
+export function sealFromRuntime(app) {
+    const manifest = loadManifest();
+    const apps = app ? [app] : Object.keys(manifest.apps);
+    const sealed = [];
+    for (const a of apps) {
+        const entry = manifest.apps[a];
+        if (!entry)
+            throw new SecretsError(`No secrets found for app: ${a}`);
+        if (entry.type === 'env') {
+            const runtimePath = join(RUNTIME_DIR, a, '.env');
+            if (!existsSync(runtimePath))
+                throw new SecretsError(`Runtime file not found: ${runtimePath}`);
+            const content = readFileSync(runtimePath, 'utf-8');
+            safeSealApp(a, content, entry.sourceFile);
+        }
+        else {
+            const runtimeDir = join(RUNTIME_DIR, a, 'secrets');
+            if (!existsSync(runtimeDir))
+                throw new SecretsError(`Runtime dir not found: ${runtimeDir}`);
+            const dirFiles = readdirSync(runtimeDir);
+            const secretsMap = {};
+            for (const f of dirFiles) {
+                secretsMap[f] = readFileSync(join(runtimeDir, f), 'utf-8');
+            }
+            safeSealDbSecrets(a, secretsMap, entry.sourceFile);
+        }
+        sealed.push(a);
+    }
+    return sealed;
+}
+export function rotateKey() {
+    const manifest = loadManifest();
+    const oldPubkey = getPublicKey();
+    const decrypted = {};
+    for (const [app, entry] of Object.entries(manifest.apps)) {
+        decrypted[app] = ageDecryptFile(join(VAULT_DIR, entry.encryptedFile));
+    }
+    const backupPath = KEY_PATH + '.old';
+    execSync(`cp ${KEY_PATH} ${backupPath}`);
+    execSync(`age-keygen -o ${KEY_PATH} 2>/dev/null`);
+    chmodSync(KEY_PATH, 0o600);
+    const newPubkey = getPublicKey();
+    for (const [app, entry] of Object.entries(manifest.apps)) {
+        const encrypted = ageEncrypt(decrypted[app]);
+        writeFileSync(join(VAULT_DIR, entry.encryptedFile), encrypted);
+        entry.lastSealedAt = new Date().toISOString();
+    }
+    saveManifest(manifest);
+    rmSync(backupPath, { force: true });
+    return { oldPubkey, newPubkey, appsRotated: Object.keys(manifest.apps) };
+}
+export function getStatus() {
+    const init = isInitialized();
+    let appCount = 0;
+    let totalKeys = 0;
+    if (init) {
+        const manifest = loadManifest();
+        appCount = Object.keys(manifest.apps).length;
+        totalKeys = Object.values(manifest.apps).reduce((sum, e) => sum + e.keyCount, 0);
+    }
+    return {
+        initialized: init,
+        sealed: isSealed(),
+        keyPath: KEY_PATH,
+        vaultDir: VAULT_DIR,
+        runtimeDir: RUNTIME_DIR,
+        appCount,
+        totalKeys,
+    };
+}

package/dist/core/secrets-validate.d.ts

@@ -0,0 +1,8 @@
+export interface ValidationResult {
+    app: string;
+    ok: boolean;
+    missing: string[];
+    extra: string[];
+}
+export declare function validateApp(appName: string): ValidationResult;
+export declare function validateAll(): ValidationResult[];

package/dist/core/secrets-validate.js

@@ -0,0 +1,81 @@
+import { readFileSync, existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { loadManifest } from './secrets.js';
+import { load } from './registry.js';
+function extractComposeSecrets(composePath, composeFile) {
+    const file = composeFile
+        ? join(composePath, composeFile)
+        : join(composePath, 'docker-compose.yml');
+    if (!existsSync(file)) {
+        const alt = join(composePath, 'compose.yml');
+        if (!existsSync(alt))
+            return [];
+        return parseSecretsFromFile(alt);
+    }
+    return parseSecretsFromFile(file);
+}
+function parseSecretsFromFile(filePath) {
+    const content = readFileSync(filePath, 'utf-8');
+    const secrets = [];
+    // match top-level secrets: block and extract secret names
+    const topLevelMatch = content.match(/^secrets:\s*\n((?:[ \t]+\S.*\n?)*)/m);
+    if (!topLevelMatch)
+        return [];
+    const block = topLevelMatch[1];
+    const lines = block.split('\n');
+    for (const line of lines) {
+        // match "  secret_name:" at 2-space indent (top-level secret definition)
+        const nameMatch = line.match(/^[ \t]{2}(\w[\w-]*):\s*$/);
+        if (nameMatch) {
+            secrets.push(nameMatch[1]);
+        }
+    }
+    return secrets;
+}
+function getVaultFiles(app) {
+    const manifest = loadManifest();
+    const entry = manifest.apps[app];
+    if (!entry)
+        return [];
+    return entry.files ?? [];
+}
+export function validateApp(appName) {
+    let composePath;
+    let composeFile = null;
+    if (appName === 'docker-databases') {
+        composePath = '/home/matt/docker-databases';
+    }
+    else {
+        const reg = load();
+        const app = reg.apps.find(a => a.name === appName);
+        if (!app) {
+            return { app: appName, ok: false, missing: [], extra: [`App not found in registry`] };
+        }
+        composePath = app.composePath;
+        composeFile = app.composeFile;
+    }
+    const composeSecrets = extractComposeSecrets(composePath, composeFile);
+    if (composeSecrets.length === 0) {
+        return { app: appName, ok: true, missing: [], extra: [] };
+    }
+    const vaultFiles = getVaultFiles(appName);
+    // vault files have .txt extension; compose secret names don't — strip for comparison
+    const vaultNames = vaultFiles.map(f => f.replace(/\.txt$/, ''));
+    const missing = composeSecrets.filter(s => !vaultNames.includes(s));
+    const extra = vaultNames.filter(v => !composeSecrets.includes(v));
+    return {
+        app: appName,
+        ok: missing.length === 0,
+        missing,
+        extra,
+    };
+}
+export function validateAll() {
+    const results = [];
+    results.push(validateApp('docker-databases'));
+    const reg = load();
+    for (const app of reg.apps) {
+        results.push(validateApp(app.name));
+    }
+    return results;
+}