@matthesketh/fleet 1.0.0

package/dist/core/secrets.d.ts

@@ -0,0 +1,36 @@
+export declare const VAULT_DIR = "/home/matt/fleet/vault";
+export declare const KEY_PATH = "/etc/fleet/age.key";
+export declare const RUNTIME_DIR = "/run/fleet-secrets";
+export interface ManifestEntry {
+    type: 'env' | 'secrets-dir';
+    encryptedFile: string;
+    sourceFile: string;
+    files?: string[];
+    lastSealedAt: string;
+    keyCount: number;
+}
+export interface Manifest {
+    version: number;
+    apps: Record<string, ManifestEntry>;
+}
+export declare function ensureAge(): void;
+export declare function isInitialized(): boolean;
+export declare function isSealed(): boolean;
+export declare function getPublicKey(): string;
+export declare function initVault(): string;
+export declare function loadManifest(): Manifest;
+export declare function saveManifest(manifest: Manifest): void;
+export declare function backupVaultFile(app: string): string | null;
+export declare function restoreVaultFile(app: string): boolean;
+export declare function removeBackup(app: string): void;
+export declare function ageEncrypt(plaintext: string): string;
+export declare function ageDecrypt(ciphertext: string | Buffer): string;
+export declare function ageDecryptFile(filePath: string): string;
+export declare function sealApp(app: string, envContent: string, sourceFile: string): void;
+export declare function sealDbSecrets(app: string, secretsMap: Record<string, string>, sourceDir: string): void;
+export declare function decryptApp(app: string): string;
+export declare function parseSecretsBundle(bundle: string): Record<string, string>;
+export declare function listSecrets(app: string): Array<{
+    key: string;
+    maskedValue: string;
+}>;

package/dist/core/secrets.js

@@ -0,0 +1,191 @@
+import { existsSync, readFileSync, writeFileSync, mkdirSync, readdirSync, chmodSync, rmSync, copyFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { execSync } from 'node:child_process';
+import { SecretsError, VaultNotInitializedError } from './errors.js';
+export const VAULT_DIR = '/home/matt/fleet/vault';
+export const KEY_PATH = '/etc/fleet/age.key';
+export const RUNTIME_DIR = '/run/fleet-secrets';
+const MANIFEST_PATH = join(VAULT_DIR, 'manifest.json');
+const SECRET_DELIMITER = '---SECRET:';
+export function ensureAge() {
+    try {
+        execSync('which age', { stdio: 'pipe' });
+    }
+    catch {
+        throw new SecretsError('age not found. Install with: apt install age');
+    }
+}
+export function isInitialized() {
+    return existsSync(KEY_PATH) && existsSync(VAULT_DIR);
+}
+export function isSealed() {
+    return !existsSync(RUNTIME_DIR) || readdirSync(RUNTIME_DIR).length === 0;
+}
+function requireInit() {
+    if (!isInitialized())
+        throw new VaultNotInitializedError();
+}
+export function getPublicKey() {
+    requireInit();
+    return execSync(`age-keygen -y ${KEY_PATH}`, { encoding: 'utf-8' }).trim();
+}
+export function initVault() {
+    ensureAge();
+    if (isInitialized())
+        throw new SecretsError('Vault already initialized');
+    const keyDir = '/etc/fleet';
+    if (!existsSync(keyDir)) {
+        mkdirSync(keyDir, { recursive: true, mode: 0o700 });
+    }
+    execSync(`age-keygen -o ${KEY_PATH} 2>/dev/null`);
+    chmodSync(KEY_PATH, 0o600);
+    if (!existsSync(VAULT_DIR)) {
+        mkdirSync(VAULT_DIR, { recursive: true });
+    }
+    saveManifest({ version: 1, apps: {} });
+    return getPublicKey();
+}
+export function loadManifest() {
+    requireInit();
+    if (!existsSync(MANIFEST_PATH))
+        return { version: 1, apps: {} };
+    return JSON.parse(readFileSync(MANIFEST_PATH, 'utf-8'));
+}
+export function saveManifest(manifest) {
+    writeFileSync(MANIFEST_PATH, JSON.stringify(manifest, null, 2) + '\n');
+}
+export function backupVaultFile(app) {
+    const manifest = loadManifest();
+    const entry = manifest.apps[app];
+    if (!entry)
+        return null;
+    const src = join(VAULT_DIR, entry.encryptedFile);
+    if (!existsSync(src))
+        return null;
+    const bak = src + '.bak';
+    copyFileSync(src, bak);
+    return bak;
+}
+export function restoreVaultFile(app) {
+    const manifest = loadManifest();
+    const entry = manifest.apps[app];
+    if (!entry)
+        return false;
+    const src = join(VAULT_DIR, entry.encryptedFile);
+    const bak = src + '.bak';
+    if (!existsSync(bak))
+        return false;
+    copyFileSync(bak, src);
+    rmSync(bak, { force: true });
+    return true;
+}
+export function removeBackup(app) {
+    const manifest = loadManifest();
+    const entry = manifest.apps[app];
+    if (!entry)
+        return;
+    const bak = join(VAULT_DIR, entry.encryptedFile) + '.bak';
+    rmSync(bak, { force: true });
+}
+export function ageEncrypt(plaintext) {
+    const pubkey = getPublicKey();
+    return execSync(`age -r ${pubkey} --armor`, {
+        input: plaintext,
+        encoding: 'utf-8',
+        maxBuffer: 10 * 1024 * 1024,
+    });
+}
+export function ageDecrypt(ciphertext) {
+    return execSync(`age -d -i ${KEY_PATH}`, {
+        input: ciphertext,
+        encoding: 'utf-8',
+        maxBuffer: 10 * 1024 * 1024,
+    });
+}
+export function ageDecryptFile(filePath) {
+    return execSync(`age -d -i ${KEY_PATH} "${filePath}"`, {
+        encoding: 'utf-8',
+        maxBuffer: 10 * 1024 * 1024,
+    });
+}
+export function sealApp(app, envContent, sourceFile) {
+    requireInit();
+    const encrypted = ageEncrypt(envContent);
+    const encFile = `${app}.env.age`;
+    writeFileSync(join(VAULT_DIR, encFile), encrypted);
+    const keyCount = envContent.split('\n').filter(l => l.includes('=') && !l.startsWith('#')).length;
+    const manifest = loadManifest();
+    manifest.apps[app] = {
+        type: 'env',
+        encryptedFile: encFile,
+        sourceFile,
+        lastSealedAt: new Date().toISOString(),
+        keyCount,
+    };
+    saveManifest(manifest);
+}
+export function sealDbSecrets(app, secretsMap, sourceDir) {
+    requireInit();
+    const filenames = Object.keys(secretsMap).sort();
+    const parts = filenames.map(f => `${SECRET_DELIMITER}${f}---\n${secretsMap[f]}`);
+    const bundle = parts.join('\n');
+    const encrypted = ageEncrypt(bundle);
+    const encFile = `${app}.secrets.age`;
+    writeFileSync(join(VAULT_DIR, encFile), encrypted);
+    const manifest = loadManifest();
+    manifest.apps[app] = {
+        type: 'secrets-dir',
+        encryptedFile: encFile,
+        sourceFile: sourceDir,
+        files: filenames,
+        lastSealedAt: new Date().toISOString(),
+        keyCount: filenames.length,
+    };
+    saveManifest(manifest);
+}
+export function decryptApp(app) {
+    requireInit();
+    const manifest = loadManifest();
+    const entry = manifest.apps[app];
+    if (!entry)
+        throw new SecretsError(`No secrets found for app: ${app}`);
+    return ageDecryptFile(join(VAULT_DIR, entry.encryptedFile));
+}
+export function parseSecretsBundle(bundle) {
+    const files = {};
+    const parts = bundle.split(SECRET_DELIMITER).filter(p => p.trim());
+    for (const part of parts) {
+        const delimEnd = part.indexOf('---\n');
+        if (delimEnd < 0)
+            continue;
+        const filename = part.substring(0, delimEnd);
+        const content = part.substring(delimEnd + 4);
+        files[filename] = content;
+    }
+    return files;
+}
+function maskValue(val) {
+    if (val.length <= 3)
+        return '***';
+    return val.substring(0, 3) + '***';
+}
+export function listSecrets(app) {
+    const plaintext = decryptApp(app);
+    const manifest = loadManifest();
+    const entry = manifest.apps[app];
+    if (entry.type === 'env') {
+        return plaintext.split('\n')
+            .filter(l => l.includes('=') && !l.startsWith('#') && l.trim())
+            .map(line => {
+            const eqIdx = line.indexOf('=');
+            const key = line.substring(0, eqIdx);
+            const val = line.substring(eqIdx + 1);
+            return { key, maskedValue: maskValue(val) };
+        });
+    }
+    const files = parseSecretsBundle(plaintext);
+    return Object.entries(files).map(([filename, content]) => ({
+        key: filename,
+        maskedValue: maskValue(content.trim()),
+    }));
+}

package/dist/core/systemd.d.ts

@@ -0,0 +1,23 @@
+export declare function systemdAvailable(): boolean;
+export interface ServiceStatus {
+    name: string;
+    active: boolean;
+    enabled: boolean;
+    state: string;
+    description: string;
+}
+export declare function getServiceStatus(serviceName: string): ServiceStatus;
+export declare function getMultipleServiceStatuses(serviceNames: string[]): Map<string, ServiceStatus>;
+export declare function startService(serviceName: string): boolean;
+export declare function stopService(serviceName: string): boolean;
+export declare function restartService(serviceName: string): boolean;
+export declare function enableService(serviceName: string): boolean;
+export declare function disableService(serviceName: string): boolean;
+export declare function installServiceFile(serviceName: string, content: string): void;
+export declare function readServiceFile(serviceName: string): string | null;
+export declare function discoverServices(): string[];
+export declare function parseServiceFile(content: string): {
+    workingDirectory: string;
+    composeFile: string | null;
+    dependsOnDatabases: boolean;
+};

package/dist/core/systemd.js

@@ -0,0 +1,106 @@
+import { existsSync, readFileSync, writeFileSync } from 'node:fs';
+import { exec } from './exec.js';
+let _systemdAvailable = null;
+export function systemdAvailable() {
+    if (_systemdAvailable === null) {
+        const result = exec('systemctl is-system-running');
+        // Returns "running", "degraded", etc. when systemd is PID 1.
+        // Returns "offline" when not booted with systemd.
+        _systemdAvailable = result.ok || result.stdout === 'degraded';
+    }
+    return _systemdAvailable;
+}
+function parseSystemctlShow(output) {
+    const props = {};
+    for (const line of output.split('\n')) {
+        const eq = line.indexOf('=');
+        if (eq > 0) {
+            props[line.slice(0, eq)] = line.slice(eq + 1);
+        }
+    }
+    return props;
+}
+export function getServiceStatus(serviceName) {
+    const result = exec(`systemctl show ${serviceName}.service --property=ActiveState,UnitFileState,Description --no-pager`);
+    const props = parseSystemctlShow(result.stdout);
+    return {
+        name: serviceName,
+        active: props.ActiveState === 'active',
+        enabled: props.UnitFileState === 'enabled',
+        state: props.ActiveState || 'unknown',
+        description: props.Description || '',
+    };
+}
+export function getMultipleServiceStatuses(serviceNames) {
+    if (serviceNames.length === 0)
+        return new Map();
+    const args = serviceNames.map(n => `${n}.service`).join(' ');
+    const result = exec(`systemctl show ${args} --property=Id,ActiveState,UnitFileState,Description --no-pager`, { timeout: 15_000 });
+    const map = new Map();
+    if (!result.stdout)
+        return map;
+    const blocks = result.stdout.split('\n\n');
+    for (const block of blocks) {
+        if (!block.trim())
+            continue;
+        const props = parseSystemctlShow(block);
+        const name = (props.Id || '').replace(/\.service$/, '');
+        if (name) {
+            map.set(name, {
+                name,
+                active: props.ActiveState === 'active',
+                enabled: props.UnitFileState === 'enabled',
+                state: props.ActiveState || 'unknown',
+                description: props.Description || '',
+            });
+        }
+    }
+    return map;
+}
+export function startService(serviceName) {
+    return exec(`systemctl start ${serviceName}.service`, { timeout: 60_000 }).ok;
+}
+export function stopService(serviceName) {
+    return exec(`systemctl stop ${serviceName}.service`, { timeout: 60_000 }).ok;
+}
+export function restartService(serviceName) {
+    return exec(`systemctl restart ${serviceName}.service`, { timeout: 120_000 }).ok;
+}
+export function enableService(serviceName) {
+    return exec(`systemctl enable ${serviceName}.service`).ok;
+}
+export function disableService(serviceName) {
+    return exec(`systemctl disable ${serviceName}.service`).ok;
+}
+export function installServiceFile(serviceName, content) {
+    const path = `/etc/systemd/system/${serviceName}.service`;
+    writeFileSync(path, content);
+    exec('systemctl daemon-reload');
+}
+export function readServiceFile(serviceName) {
+    const path = `/etc/systemd/system/${serviceName}.service`;
+    if (!existsSync(path))
+        return null;
+    return readFileSync(path, 'utf-8');
+}
+export function discoverServices() {
+    const result = exec('systemctl list-units --type=service --state=active --no-legend --no-pager', { timeout: 10_000 });
+    if (!result.ok)
+        return [];
+    return result.stdout.split('\n')
+        .map(line => line.trim().split(/\s+/)[0]?.replace('.service', '') ?? '')
+        .filter(name => {
+        const content = readServiceFile(name);
+        return content !== null && content.includes('docker compose');
+    });
+}
+export function parseServiceFile(content) {
+    const wdMatch = content.match(/WorkingDirectory=(.+)/);
+    const composeFileMatch = content.match(/-f\s+(\S+\.ya?ml)/);
+    const dbDep = content.includes('docker-databases.service');
+    return {
+        workingDirectory: wdMatch?.[1] ?? '',
+        composeFile: composeFileMatch?.[1] ?? null,
+        dependsOnDatabases: dbDep,
+    };
+}

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/index.js

@@ -0,0 +1,18 @@
+#!/usr/bin/env node
+import { run } from './cli.js';
+import { error } from './ui/output.js';
+import { FleetError } from './core/errors.js';
+const isMcp = process.argv.includes('mcp');
+const isInstallMcp = process.argv.includes('install-mcp');
+if (!isMcp && !isInstallMcp && process.getuid && process.getuid() !== 0) {
+    error('fleet must be run as root');
+    process.exit(1);
+}
+run(process.argv).catch((err) => {
+    if (err instanceof FleetError) {
+        error(err.message);
+        process.exit(err.exitCode);
+    }
+    error(err instanceof Error ? err.message : String(err));
+    process.exit(1);
+});

package/dist/mcp/git-tools.d.ts

@@ -0,0 +1,2 @@
+import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+export declare function registerGitTools(server: McpServer): void;

package/dist/mcp/git-tools.js

@@ -0,0 +1,148 @@
+import { z } from 'zod';
+import { load, findApp } from '../core/registry.js';
+import { getGitStatus, getProjectRoot, gitAdd, gitCommit, gitCheckout, gitPush } from '../core/git.js';
+import { detectScenario, describeOnboardPlan, executeOnboard } from '../core/git-onboard.js';
+import * as github from '../core/github.js';
+import { AppNotFoundError } from '../core/errors.js';
+function requireApp(name) {
+    const reg = load();
+    const app = findApp(reg, name);
+    if (!app)
+        throw new AppNotFoundError(name);
+    return app;
+}
+function text(msg) {
+    return { content: [{ type: 'text', text: msg }] };
+}
+function onboardHint(app) {
+    if (app.gitOnboardedAt)
+        return null;
+    return `${app.name} is not git-onboarded yet. Run fleet_git_onboard first.`;
+}
+export function registerGitTools(server) {
+    server.tool('fleet_git_status', 'Git state for one or all apps: branch, clean/dirty, onboard status', { app: z.string().optional().describe('App name (omit for all apps)') }, async ({ app: appName }) => {
+        const reg = load();
+        if (appName) {
+            const app = findApp(reg, appName);
+            if (!app)
+                throw new AppNotFoundError(appName);
+            const root = getProjectRoot(app.composePath);
+            const status = getGitStatus(root);
+            return text(JSON.stringify({ app: app.name, root, onboarded: !!app.gitOnboardedAt, ...status }, null, 2));
+        }
+        const results = reg.apps.map(a => {
+            const root = getProjectRoot(a.composePath);
+            const status = getGitStatus(root);
+            return { app: a.name, onboarded: !!a.gitOnboardedAt, branch: status.branch, clean: status.clean, initialised: status.initialised };
+        });
+        return text(JSON.stringify(results, null, 2));
+    });
+    server.tool('fleet_git_onboard', 'Onboard an app to GitHub: create repo, push code, protect branches', {
+        app: z.string().describe('App name'),
+        dryRun: z.boolean().optional().default(false).describe('Preview without making changes'),
+    }, async ({ app: appName, dryRun }) => {
+        const app = requireApp(appName);
+        const root = getProjectRoot(app.composePath);
+        const status = getGitStatus(root);
+        const scenario = detectScenario(status);
+        if (dryRun) {
+            const plan = describeOnboardPlan(scenario, app.name, status);
+            return text(`Scenario: ${scenario}\nRoot: ${root}\n\nPlan:\n${plan.map((s, i) => `${i + 1}. ${s}`).join('\n')}`);
+        }
+        const result = executeOnboard(scenario, root, app.name, app.name, status);
+        return text(`Onboarded ${app.name} (${result.scenario})\n\nSteps:\n${result.steps.map(s => `- ${s}`).join('\n')}\n\nRepo: ${result.repoUrl}`);
+    });
+    server.tool('fleet_git_branch', 'Create a feature branch from develop (or other base) and push it', {
+        app: z.string().describe('App name'),
+        branch: z.string().describe('New branch name'),
+        from: z.string().optional().default('develop').describe('Base branch'),
+        dryRun: z.boolean().optional().default(false).describe('Preview without making changes'),
+    }, async ({ app: appName, branch, from, dryRun }) => {
+        const app = requireApp(appName);
+        const hint = onboardHint(app);
+        if (hint)
+            return text(hint);
+        const root = getProjectRoot(app.composePath);
+        if (dryRun)
+            return text(`Would checkout ${from}, create branch ${branch}, and push`);
+        gitCheckout(root, from);
+        gitCheckout(root, branch, true);
+        gitPush(root, branch, true);
+        return text(`Created and pushed branch ${branch} from ${from}`);
+    });
+    server.tool('fleet_git_commit', 'Stage all changes and commit', {
+        app: z.string().describe('App name'),
+        message: z.string().describe('Commit message'),
+        dryRun: z.boolean().optional().default(false).describe('Preview without making changes'),
+    }, async ({ app: appName, message, dryRun }) => {
+        const app = requireApp(appName);
+        const hint = onboardHint(app);
+        if (hint)
+            return text(hint);
+        const root = getProjectRoot(app.composePath);
+        if (dryRun)
+            return text(`Would stage all and commit: "${message}"`);
+        gitAdd(root);
+        gitCommit(root, message);
+        return text(`Committed: ${message}`);
+    });
+    server.tool('fleet_git_push', 'Push current branch to origin', {
+        app: z.string().describe('App name'),
+        dryRun: z.boolean().optional().default(false).describe('Preview without making changes'),
+    }, async ({ app: appName, dryRun }) => {
+        const app = requireApp(appName);
+        const hint = onboardHint(app);
+        if (hint)
+            return text(hint);
+        const root = getProjectRoot(app.composePath);
+        const status = getGitStatus(root);
+        if (dryRun)
+            return text(`Would push branch ${status.branch}`);
+        gitPush(root, status.branch, true);
+        return text(`Pushed ${status.branch}`);
+    });
+    server.tool('fleet_git_pr_create', 'Create a pull request on GitHub', {
+        app: z.string().describe('App name'),
+        title: z.string().describe('PR title'),
+        body: z.string().optional().describe('PR description'),
+        base: z.string().optional().default('develop').describe('Base branch'),
+        dryRun: z.boolean().optional().default(false).describe('Preview without making changes'),
+    }, async ({ app: appName, title, body, base, dryRun }) => {
+        const app = requireApp(appName);
+        const hint = onboardHint(app);
+        if (hint)
+            return text(hint);
+        const root = getProjectRoot(app.composePath);
+        const status = getGitStatus(root);
+        if (dryRun)
+            return text(`Would create PR: "${title}" (${status.branch} -> ${base})`);
+        const pr = github.createPullRequest(app.name, { title, body, head: status.branch, base });
+        return text(`Created PR #${pr.number}: ${pr.url}`);
+    });
+    server.tool('fleet_git_pr_list', 'List pull requests for an app', {
+        app: z.string().describe('App name'),
+        state: z.enum(['open', 'closed', 'all']).optional().default('open').describe('PR state filter'),
+    }, async ({ app: appName, state }) => {
+        const app = requireApp(appName);
+        const hint = onboardHint(app);
+        if (hint)
+            return text(hint);
+        const prs = github.listPullRequests(app.name, state);
+        return text(JSON.stringify(prs, null, 2));
+    });
+    server.tool('fleet_git_release', 'Create a release PR from develop to main', {
+        app: z.string().describe('App name'),
+        title: z.string().optional().describe('PR title (defaults to "Release: <app>")'),
+        dryRun: z.boolean().optional().default(false).describe('Preview without making changes'),
+    }, async ({ app: appName, title, dryRun }) => {
+        const app = requireApp(appName);
+        const hint = onboardHint(app);
+        if (hint)
+            return text(hint);
+        const prTitle = title || `Release: ${app.name}`;
+        if (dryRun)
+            return text(`Would create PR: "${prTitle}" (develop -> main)`);
+        const pr = github.createPullRequest(app.name, { title: prTitle, head: 'develop', base: 'main' });
+        return text(`Created release PR #${pr.number}: ${pr.url}`);
+    });
+}

package/dist/mcp/secrets-tools.d.ts

@@ -0,0 +1,2 @@
+import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+export declare function registerSecretsTools(server: McpServer): void;

package/dist/mcp/secrets-tools.js

@@ -0,0 +1,67 @@
+import { z } from 'zod';
+import { isInitialized } from '../core/secrets.js';
+import { restoreVaultFile } from '../core/secrets.js';
+import { setSecret, getSecret, sealFromRuntime, detectDrift, } from '../core/secrets-ops.js';
+function text(msg) {
+    return { content: [{ type: 'text', text: msg }] };
+}
+function requireVault() {
+    if (!isInitialized())
+        throw new Error('Vault not initialised. Run: fleet secrets init');
+}
+export function registerSecretsTools(server) {
+    server.tool('fleet_secrets_set', 'Set a single secret key/value for an app. ' +
+        'IMPORTANT: This updates the encrypted vault directly. ' +
+        'The change persists across reboots. ' +
+        'If the app is running, you may also need to update the runtime env and restart the app.', {
+        app: z.string().describe('App name'),
+        key: z.string().describe('Secret key name (e.g. DATABASE_URL)'),
+        value: z.string().describe('Secret value'),
+    }, async ({ app, key, value }) => {
+        requireVault();
+        setSecret(app, key, value);
+        return text(`Set ${key} for ${app} in vault. Run fleet_secrets_unseal + restart the app to apply at runtime.`);
+    });
+    server.tool('fleet_secrets_get', 'Get a single decrypted secret value from the vault. ' +
+        'Returns the value stored in the encrypted vault, NOT the runtime value. ' +
+        'Use fleet_secrets_drift to check if runtime differs from vault.', {
+        app: z.string().describe('App name'),
+        key: z.string().describe('Secret key name'),
+    }, async ({ app, key }) => {
+        requireVault();
+        const val = getSecret(app, key);
+        if (val === null)
+            return text(`Key not found: ${key}`);
+        return text(val);
+    });
+    server.tool('fleet_secrets_seal', 'Seal runtime secrets back to the encrypted vault. ' +
+        'CRITICAL: If you modified environment variables at runtime (e.g. edited .env files in /run/fleet-secrets/), ' +
+        'those changes will be LOST on reboot unless you seal them back to the vault with this tool. ' +
+        'This re-encrypts the current runtime state into the vault so it persists across reboots.', {
+        app: z.string().optional().describe('App name (omit to seal all apps)'),
+    }, async ({ app }) => {
+        requireVault();
+        const sealed = sealFromRuntime(app);
+        return text(`Sealed ${sealed.length} app(s): ${sealed.join(', ')}. Changes will now persist across reboots.`);
+    });
+    server.tool('fleet_secrets_drift', 'Detect drift between vault (encrypted, survives reboot) and runtime (/run/fleet-secrets/, lost on reboot). ' +
+        'Shows which keys were added, removed, or changed at runtime but NOT sealed back to the vault. ' +
+        'If drift is detected, use fleet_secrets_seal to persist changes, or fleet_secrets_unseal to revert runtime to vault state.', {
+        app: z.string().optional().describe('App name (omit to check all apps)'),
+    }, async ({ app }) => {
+        requireVault();
+        const results = detectDrift(app);
+        return text(JSON.stringify(results, null, 2));
+    });
+    server.tool('fleet_secrets_restore', 'Restore vault from backup (.bak file). ' +
+        'Backups are created automatically before any seal operation. ' +
+        'Use this if a seal operation produced incorrect results and you want to revert to the previous vault state.', {
+        app: z.string().describe('App name'),
+    }, async ({ app }) => {
+        requireVault();
+        const ok = restoreVaultFile(app);
+        if (!ok)
+            return text(`No backup found for ${app}`);
+        return text(`Restored vault backup for ${app}. Run fleet_secrets_unseal to apply to runtime.`);
+    });
+}

package/dist/mcp/server.d.ts

@@ -0,0 +1 @@
+export declare function startMcpServer(): Promise<void>;