@matthesketh/fleet 1.0.0

package/dist/mcp/server.js

@@ -0,0 +1,179 @@
+import { z } from 'zod';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import { getStatusData } from '../commands/status.js';
+import { existsSync } from 'node:fs';
+import { load, findApp, save, addApp } from '../core/registry.js';
+import { startService, stopService, restartService } from '../core/systemd.js';
+import { getContainerLogs, getContainersByCompose } from '../core/docker.js';
+import { checkHealth, checkAllHealth } from '../core/health.js';
+import { listSites, installConfig, testConfig, reload, removeConfig } from '../core/nginx.js';
+import { generateNginxConfig } from '../templates/nginx.js';
+import { composeBuild } from '../core/docker.js';
+import { AppNotFoundError } from '../core/errors.js';
+import { loadManifest, listSecrets, isInitialized } from '../core/secrets.js';
+import { unsealAll, getStatus as getSecretsStatus } from '../core/secrets-ops.js';
+import { validateApp, validateAll } from '../core/secrets-validate.js';
+import { registerGitTools } from './git-tools.js';
+import { registerSecretsTools } from './secrets-tools.js';
+function requireApp(name) {
+    const reg = load();
+    const app = findApp(reg, name);
+    if (!app)
+        throw new AppNotFoundError(name);
+    return app;
+}
+function text(msg) {
+    return { content: [{ type: 'text', text: msg }] };
+}
+export async function startMcpServer() {
+    const server = new McpServer({
+        name: 'fleet',
+        version: '1.0.0',
+    });
+    server.tool('fleet_status', 'Dashboard data for all apps: systemd state, containers, health', async () => {
+        const data = getStatusData();
+        return text(JSON.stringify(data, null, 2));
+    });
+    server.tool('fleet_list', 'List all registered apps with their configuration', async () => {
+        const reg = load();
+        return text(JSON.stringify(reg.apps, null, 2));
+    });
+    server.tool('fleet_start', 'Start an app via systemctl', { app: z.string().describe('App name') }, async ({ app }) => {
+        const entry = requireApp(app);
+        const ok = startService(entry.serviceName);
+        return text(ok ? `Started ${entry.name}` : `Failed to start ${entry.name}`);
+    });
+    server.tool('fleet_stop', 'Stop an app via systemctl', { app: z.string().describe('App name') }, async ({ app }) => {
+        const entry = requireApp(app);
+        const ok = stopService(entry.serviceName);
+        return text(ok ? `Stopped ${entry.name}` : `Failed to stop ${entry.name}`);
+    });
+    server.tool('fleet_restart', 'Restart an app via systemctl', { app: z.string().describe('App name') }, async ({ app }) => {
+        const entry = requireApp(app);
+        const ok = restartService(entry.serviceName);
+        return text(ok ? `Restarted ${entry.name}` : `Failed to restart ${entry.name}`);
+    });
+    server.tool('fleet_logs', 'Get recent container logs for an app', {
+        app: z.string().describe('App name'),
+        lines: z.number().optional().default(100).describe('Number of log lines'),
+    }, async ({ app, lines }) => {
+        const entry = requireApp(app);
+        const container = entry.containers[0];
+        if (!container)
+            return text('No containers registered');
+        const logs = getContainerLogs(container, lines);
+        return text(logs);
+    });
+    server.tool('fleet_health', 'Run health checks for one or all apps', { app: z.string().optional().describe('App name (omit for all apps)') }, async ({ app }) => {
+        const reg = load();
+        if (app) {
+            const entry = findApp(reg, app);
+            if (!entry)
+                throw new AppNotFoundError(app);
+            const result = checkHealth(entry);
+            return text(JSON.stringify(result, null, 2));
+        }
+        const results = checkAllHealth(reg.apps);
+        return text(JSON.stringify(results, null, 2));
+    });
+    server.tool('fleet_deploy', 'Deploy an app: build and restart', { app: z.string().describe('App name') }, async ({ app }) => {
+        const entry = requireApp(app);
+        const buildOk = composeBuild(entry.composePath, entry.composeFile, entry.name);
+        if (!buildOk)
+            return text(`Build failed for ${entry.name}`);
+        const ok = restartService(entry.serviceName);
+        return text(ok ? `Deployed ${entry.name}` : `Deploy failed for ${entry.name}`);
+    });
+    server.tool('fleet_nginx_add', 'Create an nginx config for a domain', {
+        domain: z.string().describe('Domain name'),
+        port: z.number().describe('Backend port'),
+        type: z.enum(['proxy', 'spa', 'nextjs']).optional().default('proxy').describe('Config type'),
+    }, async ({ domain, port, type }) => {
+        const config = generateNginxConfig({ domain, port, type });
+        installConfig(domain, config);
+        const test = testConfig();
+        if (!test.ok) {
+            removeConfig(domain);
+            return text(`Config test failed: ${test.output}`);
+        }
+        reload();
+        return text(`Created and activated nginx config for ${domain}`);
+    });
+    server.tool('fleet_nginx_list', 'List all nginx site configs', async () => {
+        const sites = listSites();
+        return text(JSON.stringify(sites, null, 2));
+    });
+    server.tool('fleet_secrets_status', 'Show vault initialisation state, sealed/unsealed, counts. The vault is the encrypted source of truth that survives reboots. Runtime (/run/fleet-secrets/) is the decrypted copy used by apps — it is lost on reboot.', async () => {
+        const status = getSecretsStatus();
+        return text(JSON.stringify(status, null, 2));
+    });
+    server.tool('fleet_secrets_list', 'List managed secrets for an app (masked values). Shows vault contents — use fleet_secrets_drift to check if runtime differs.', { app: z.string().optional().describe('App name (omit for all apps)') }, async ({ app }) => {
+        if (!isInitialized())
+            return text('Vault not initialised');
+        if (app) {
+            const secrets = listSecrets(app);
+            return text(JSON.stringify(secrets, null, 2));
+        }
+        const manifest = loadManifest();
+        return text(JSON.stringify(manifest.apps, null, 2));
+    });
+    server.tool('fleet_secrets_unseal', 'Decrypt vault to /run/fleet-secrets/. WARNING: This overwrites any runtime changes that were not sealed back to the vault. Use fleet_secrets_drift first to check for unsaved changes.', async () => {
+        if (!isInitialized())
+            return text('Vault not initialised');
+        unsealAll();
+        return text('Unsealed all secrets to /run/fleet-secrets/');
+    });
+    server.tool('fleet_secrets_validate', 'Validate compose secrets match vault. Returns missing/extra secrets per app. This checks that docker-compose secret references have matching entries in the vault.', { app: z.string().optional().describe('App name (omit for all apps)') }, async ({ app }) => {
+        if (!isInitialized())
+            return text('Vault not initialised');
+        const results = app ? [validateApp(app)] : validateAll();
+        return text(JSON.stringify(results, null, 2));
+    });
+    server.tool('fleet_register', 'Register a new app in the fleet registry', {
+        name: z.string().describe('App name (kebab-case identifier)'),
+        composePath: z.string().describe('Absolute path to docker-compose directory'),
+        displayName: z.string().optional().describe('Human-friendly name'),
+        composeFile: z.string().optional().describe('Custom compose filename'),
+        serviceName: z.string().optional().describe('Systemd service name'),
+        domains: z.array(z.string()).optional().default([]).describe('Domain names'),
+        port: z.number().optional().describe('Backend port'),
+        type: z.enum(['proxy', 'spa', 'nextjs', 'service']).optional().default('service').describe('App type'),
+        containers: z.array(z.string()).optional().describe('Container names (auto-detected if omitted)'),
+        usesSharedDb: z.boolean().optional().default(false).describe('Uses shared database'),
+        dependsOnDatabases: z.boolean().optional().default(false).describe('Depends on docker-databases'),
+    }, async (params) => {
+        if (!existsSync(params.composePath)) {
+            return text(`Error: composePath does not exist: ${params.composePath}`);
+        }
+        const reg = load();
+        const existing = findApp(reg, params.name);
+        let containers = params.containers;
+        if (!containers || containers.length === 0) {
+            containers = getContainersByCompose(params.composePath, params.composeFile ?? null);
+            if (containers.length === 0)
+                containers = [params.name];
+        }
+        const entry = {
+            name: params.name,
+            displayName: params.displayName ?? params.name,
+            composePath: params.composePath,
+            composeFile: params.composeFile ?? null,
+            serviceName: params.serviceName ?? params.name,
+            domains: params.domains,
+            port: params.port ?? null,
+            type: params.type,
+            containers,
+            usesSharedDb: params.usesSharedDb,
+            dependsOnDatabases: params.dependsOnDatabases,
+            registeredAt: new Date().toISOString(),
+        };
+        save(addApp(reg, entry));
+        const action = existing ? 'Updated' : 'Registered';
+        return text(`${action} app "${params.name}":\n${JSON.stringify(entry, null, 2)}`);
+    });
+    registerGitTools(server);
+    registerSecretsTools(server);
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+}

package/dist/templates/gitignore.d.ts

@@ -0,0 +1,3 @@
+export type ProjectType = 'node' | 'nextjs' | 'go' | 'php' | 'generic';
+export declare function detectProjectType(dir: string): ProjectType;
+export declare function generateGitignore(type: ProjectType): string;

package/dist/templates/gitignore.js

@@ -0,0 +1,89 @@
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+export function detectProjectType(dir) {
+    if (existsSync(join(dir, 'next.config.js')) || existsSync(join(dir, 'next.config.mjs')) || existsSync(join(dir, 'next.config.ts'))) {
+        return 'nextjs';
+    }
+    if (existsSync(join(dir, 'package.json')))
+        return 'node';
+    if (existsSync(join(dir, 'go.mod')))
+        return 'go';
+    if (existsSync(join(dir, 'composer.json')))
+        return 'php';
+    return 'generic';
+}
+const COMMON = `# ===== SECRETS - NEVER COMMIT =====
+.env
+.env.*
+!.env.example
+*.pem
+*.key
+
+# OS / editors
+.DS_Store
+Thumbs.db
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# Logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+# Docker overrides
+docker-compose.override.yml
+`;
+const NODE = `# Node
+node_modules/
+dist/
+build/
+coverage/
+.npm
+`;
+const NEXTJS = `# Node
+node_modules/
+dist/
+build/
+coverage/
+.npm
+
+# Next.js
+.next/
+out/
+*.tsbuildinfo
+`;
+const GO = `# Go
+bin/
+vendor/
+*.exe
+`;
+const PHP = `# PHP
+/vendor/
+composer.phar
+`;
+const FOOTER = `
+# ===== REMINDER: check for secrets before committing =====
+`;
+export function generateGitignore(type) {
+    let content = COMMON;
+    switch (type) {
+        case 'nextjs':
+            content += NEXTJS;
+            break;
+        case 'node':
+            content += NODE;
+            break;
+        case 'go':
+            content += GO;
+            break;
+        case 'php':
+            content += PHP;
+            break;
+        case 'generic': break;
+    }
+    return content + FOOTER;
+}

package/dist/templates/nginx.d.ts

@@ -0,0 +1,8 @@
+interface NginxOpts {
+    domain: string;
+    port: number;
+    type: 'proxy' | 'spa' | 'nextjs';
+    apiPrefix?: string;
+}
+export declare function generateNginxConfig(opts: NginxOpts): string;
+export {};

package/dist/templates/nginx.js

@@ -0,0 +1,111 @@
+export function generateNginxConfig(opts) {
+    const { domain, port, type } = opts;
+    const apiPrefix = opts.apiPrefix ?? '/api';
+    const securityHeaders = `    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "no-referrer-when-downgrade" always;`;
+    const proxyHeaders = `        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;`;
+    if (type === 'proxy') {
+        return proxyTemplate(domain, port, securityHeaders, proxyHeaders);
+    }
+    if (type === 'nextjs') {
+        return nextjsTemplate(domain, port, securityHeaders, proxyHeaders);
+    }
+    return spaTemplate(domain, port, apiPrefix, securityHeaders, proxyHeaders);
+}
+function proxyTemplate(domain, port, security, proxy) {
+    return `server {
+    server_name ${domain} www.${domain};
+
+${security}
+
+    location / {
+        proxy_pass http://127.0.0.1:${port};
+${proxy}
+    }
+
+    listen 80;
+    listen [::]:80;
+}
+`;
+}
+function spaTemplate(domain, port, apiPrefix, security, proxy) {
+    return `server {
+    server_name ${domain} www.${domain};
+
+${security}
+
+    # Gzip
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 1024;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml text/javascript image/svg+xml;
+
+    # API proxy
+    location ${apiPrefix}/ {
+        proxy_pass http://127.0.0.1:${port};
+${proxy}
+        proxy_read_timeout 60s;
+        proxy_connect_timeout 60s;
+    }
+
+    # Sitemap and robots
+    location = /sitemap.xml {
+        proxy_pass http://127.0.0.1:${port};
+${proxy}
+    }
+    location = /robots.txt {
+        proxy_pass http://127.0.0.1:${port};
+${proxy}
+    }
+
+    # Static assets
+    location ~* \\.(?:css|js|jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|eot)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+        try_files $uri =404;
+    }
+
+    # SPA fallback
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+
+    listen 80;
+    listen [::]:80;
+}
+`;
+}
+function nextjsTemplate(domain, port, security, proxy) {
+    return `server {
+    server_name ${domain} www.${domain};
+
+${security}
+
+    # Next.js static assets
+    location /_next/static/ {
+        proxy_pass http://127.0.0.1:${port};
+${proxy}
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+
+    # All traffic to Next.js
+    location / {
+        proxy_pass http://127.0.0.1:${port};
+${proxy}
+    }
+
+    listen 80;
+    listen [::]:80;
+}
+`;
+}

package/dist/templates/systemd.d.ts

@@ -0,0 +1,9 @@
+interface SystemdOpts {
+    serviceName: string;
+    description: string;
+    workingDirectory: string;
+    composeFile: string | null;
+    dependsOnDatabases: boolean;
+}
+export declare function generateServiceFile(opts: SystemdOpts): string;
+export {};

package/dist/templates/systemd.js

@@ -0,0 +1,26 @@
+export function generateServiceFile(opts) {
+    const fileFlag = opts.composeFile ? ` -f ${opts.composeFile}` : '';
+    const dbDep = opts.dependsOnDatabases ? ' docker-databases.service' : '';
+    return `[Unit]
+Description=${opts.description}
+Requires=docker.service${dbDep}
+After=docker.service${dbDep} network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+WorkingDirectory=${opts.workingDirectory}
+ExecStartPre=-/usr/bin/docker compose${fileFlag} down
+ExecStart=/usr/bin/docker compose${fileFlag} up -d --force-recreate
+ExecStop=/usr/bin/docker compose${fileFlag} down --timeout 30
+ExecReload=/usr/bin/docker compose${fileFlag} restart
+TimeoutStartSec=300
+TimeoutStopSec=60
+Restart=on-failure
+RestartSec=10
+
+[Install]
+WantedBy=multi-user.target
+`;
+}

package/dist/templates/unseal.d.ts

@@ -0,0 +1 @@
+export declare function generateUnsealService(): string;

package/dist/templates/unseal.js

@@ -0,0 +1,22 @@
+import { load } from '../core/registry.js';
+export function generateUnsealService() {
+    const reg = load();
+    const serviceNames = reg.apps.map(a => a.serviceName + '.service');
+    const dbService = reg.infrastructure.databases.serviceName + '.service';
+    const allServices = [dbService, ...serviceNames].join(' ');
+    return `[Unit]
+Description=Fleet Secrets Unseal
+After=local-fs.target
+Before=${allServices}
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/bin/node /home/matt/fleet/dist/index.js secrets unseal
+ExecStop=/bin/rm -rf /run/fleet-secrets
+TimeoutStartSec=30
+
+[Install]
+WantedBy=multi-user.target
+`;
+}

package/dist/tui/app.d.ts

@@ -0,0 +1 @@
+export declare function launchTui(): void;

package/dist/tui/app.js

@@ -0,0 +1,9 @@
+import { jsx as _jsx } from "react/jsx-runtime";
+import { render } from 'ink';
+import { App } from './router.js';
+export function launchTui() {
+    const { waitUntilExit } = render(_jsx(App, {}));
+    waitUntilExit().then(() => {
+        process.exit(0);
+    });
+}

package/dist/tui/components/AppList.d.ts

@@ -0,0 +1,12 @@
+import React from 'react';
+interface AppListItem {
+    name: string;
+    label?: string;
+}
+interface AppListProps {
+    items: AppListItem[];
+    onSelect: (item: AppListItem) => void;
+    renderItem?: (item: AppListItem, selected: boolean) => React.JSX.Element;
+}
+export declare function AppList({ items, onSelect, renderItem }: AppListProps): React.JSX.Element;
+export {};

package/dist/tui/components/AppList.js

@@ -0,0 +1,32 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { useState } from 'react';
+import { Box, Text, useInput } from 'ink';
+import { colors } from '../theme.js';
+export function AppList({ items, onSelect, renderItem }) {
+    const [selectedIndex, setSelectedIndex] = useState(0);
+    useInput((input, key) => {
+        if (items.length === 0)
+            return;
+        if (input === 'j' || key.downArrow) {
+            setSelectedIndex(prev => Math.min(prev + 1, items.length - 1));
+        }
+        else if (input === 'k' || key.upArrow) {
+            setSelectedIndex(prev => Math.max(prev - 1, 0));
+        }
+        else if (key.return) {
+            if (items[selectedIndex]) {
+                onSelect(items[selectedIndex]);
+            }
+        }
+    });
+    if (items.length === 0) {
+        return _jsx(Text, { color: colors.muted, children: "No items" });
+    }
+    return (_jsx(Box, { flexDirection: "column", children: items.map((item, i) => {
+            const selected = i === selectedIndex;
+            if (renderItem) {
+                return (_jsxs(Box, { children: [_jsx(Text, { color: colors.primary, children: selected ? '> ' : '  ' }), renderItem(item, selected)] }, item.name));
+            }
+            return (_jsxs(Text, { bold: selected, color: selected ? colors.primary : colors.text, children: [selected ? '> ' : '  ', item.label ?? item.name] }, item.name));
+        }) }));
+}

package/dist/tui/components/Confirm.d.ts

@@ -0,0 +1,2 @@
+import React from 'react';
+export declare function Confirm(): React.JSX.Element | null;

package/dist/tui/components/Confirm.js

@@ -0,0 +1,10 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { Box, Text } from 'ink';
+import { useAppState } from '../state.js';
+import { colors } from '../theme.js';
+export function Confirm() {
+    const { confirmAction } = useAppState();
+    if (!confirmAction)
+        return null;
+    return (_jsxs(Box, { flexDirection: "column", borderStyle: "round", borderColor: colors.warning, paddingX: 2, paddingY: 1, marginY: 1, children: [_jsx(Text, { bold: true, color: colors.warning, children: confirmAction.label }), _jsx(Text, { color: colors.muted, children: confirmAction.description }), _jsxs(Box, { marginTop: 1, gap: 2, children: [_jsxs(Text, { children: [_jsx(Text, { bold: true, color: colors.success, children: "y" }), " confirm"] }), _jsxs(Text, { children: [_jsx(Text, { bold: true, color: colors.error, children: "n" }), " cancel"] })] })] }));
+}

package/dist/tui/components/Header.d.ts

@@ -0,0 +1,6 @@
+import React from 'react';
+interface HeaderProps {
+    vaultSealed: boolean;
+}
+export declare function Header({ vaultSealed }: HeaderProps): React.JSX.Element;
+export {};

package/dist/tui/components/Header.js

@@ -0,0 +1,16 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { Box, Text } from 'ink';
+import { useAppState } from '../state.js';
+import { colors } from '../theme.js';
+const TABS = [
+    { view: 'dashboard', label: 'Dashboard' },
+    { view: 'health', label: 'Health' },
+    { view: 'secrets', label: 'Secrets' },
+];
+function VaultIndicator({ sealed }) {
+    return (_jsx(Text, { color: sealed ? colors.warning : colors.success, children: sealed ? '[SEALED]' : '[UNSEALED]' }));
+}
+export function Header({ vaultSealed }) {
+    const { currentView, redacted } = useAppState();
+    return (_jsxs(Box, { borderStyle: "single", borderBottom: true, paddingX: 1, justifyContent: "space-between", children: [_jsxs(Box, { gap: 1, children: [_jsx(Text, { bold: true, color: colors.primary, children: "Fleet" }), _jsx(Text, { color: colors.muted, children: "|" }), TABS.map(tab => (_jsx(Text, { bold: currentView === tab.view || currentView === 'app-detail' && tab.view === 'dashboard' || currentView === 'secret-edit' && tab.view === 'secrets' || currentView === 'logs' && tab.view === 'dashboard', color: currentView === tab.view ? colors.primary : colors.muted, children: tab.label }, tab.view)))] }), _jsxs(Box, { gap: 1, children: [redacted && _jsx(Text, { color: "magenta", bold: true, children: "[REDACTED]" }), _jsx(VaultIndicator, { sealed: vaultSealed })] })] }));
+}

package/dist/tui/components/KeyHint.d.ts

@@ -0,0 +1,2 @@
+import React from 'react';
+export declare function KeyHint(): React.JSX.Element;

package/dist/tui/components/KeyHint.js

@@ -0,0 +1,55 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { Box, Text } from 'ink';
+import { useAppState } from '../state.js';
+import { colors } from '../theme.js';
+const viewHints = {
+    dashboard: [
+        { key: 'j/k', label: 'navigate' },
+        { key: 'Enter', label: 'select' },
+        { key: 'Tab', label: 'switch view' },
+        { key: 'x', label: 'redact' },
+        { key: 'q', label: 'quit' },
+    ],
+    'app-detail': [
+        { key: 'j/k', label: 'navigate' },
+        { key: 'Enter', label: 'run action' },
+        { key: 'x', label: 'redact' },
+        { key: 'Esc', label: 'back' },
+        { key: 'q', label: 'quit' },
+    ],
+    health: [
+        { key: 'j/k', label: 'navigate' },
+        { key: 'Tab', label: 'switch view' },
+        { key: 'x', label: 'redact' },
+        { key: 'q', label: 'quit' },
+    ],
+    secrets: [
+        { key: 'j/k', label: 'navigate' },
+        { key: 'Enter', label: 'select' },
+        { key: 'u', label: 'unseal' },
+        { key: 'l', label: 'seal' },
+        { key: 'a', label: 'add' },
+        { key: 'd', label: 'delete' },
+        { key: 'r', label: 'reveal' },
+        { key: 'x', label: 'redact' },
+        { key: 'Esc', label: 'back' },
+        { key: 'q', label: 'quit' },
+    ],
+    'secret-edit': [
+        { key: 'Enter', label: 'save' },
+        { key: 'Esc', label: 'cancel' },
+    ],
+    logs: [
+        { key: 'f', label: 'follow' },
+        { key: 'x', label: 'redact' },
+        { key: 'Esc', label: 'back' },
+        { key: 'q', label: 'quit' },
+    ],
+};
+export function KeyHint() {
+    const { currentView, confirmAction } = useAppState();
+    const hints = confirmAction
+        ? [{ key: 'y', label: 'confirm' }, { key: 'n', label: 'cancel' }]
+        : viewHints[currentView] ?? [];
+    return (_jsx(Box, { borderStyle: "single", borderTop: true, paddingX: 1, gap: 2, children: hints.map(hint => (_jsxs(Box, { gap: 0, children: [_jsx(Text, { bold: true, color: colors.primary, children: hint.key }), _jsxs(Text, { color: colors.muted, children: [" ", hint.label] })] }, hint.key))) }));
+}

package/dist/tui/components/StatusBadge.d.ts

@@ -0,0 +1,7 @@
+import React from 'react';
+interface StatusBadgeProps {
+    value: string;
+    type?: 'systemd' | 'health';
+}
+export declare function StatusBadge({ value, type }: StatusBadgeProps): React.JSX.Element;
+export {};

package/dist/tui/components/StatusBadge.js

@@ -0,0 +1,8 @@
+import { jsx as _jsx } from "react/jsx-runtime";
+import { Text } from 'ink';
+import { statusColor, healthColor } from '../theme.js';
+export function StatusBadge({ value, type = 'health' }) {
+    const colorMap = type === 'systemd' ? statusColor : healthColor;
+    const color = colorMap[value] ?? 'gray';
+    return _jsx(Text, { color: color, children: value });
+}

package/dist/tui/exec-bridge.d.ts

@@ -0,0 +1,11 @@
+export interface CommandResult {
+    ok: boolean;
+    output: string;
+}
+export declare function runFleetCommand(args: string[]): Promise<CommandResult>;
+export declare function runFleetJson<T>(args: string[]): Promise<T | null>;
+export interface StreamHandle {
+    kill: () => void;
+    onData: (cb: (line: string) => void) => void;
+}
+export declare function streamFleetCommand(args: string[]): StreamHandle;