@matthesketh/fleet 1.1.0 → 1.6.0

package/dist/core/secrets-rotation.js

@@ -0,0 +1,165 @@
+/**
+ * Rotation engine: takes a parsed plaintext env, applies a per-secret rotation
+ * (immediate, dual-mode, etc.), re-seals, restarts the service, runs a health
+ * gate, and rolls back on failure. Pure functions where possible — I/O isolated
+ * to thin wrappers so tests can run without a real vault.
+ */
+import { decryptApp, sealApp, loadManifest } from './secrets.js';
+import { snapshotApp, restoreSnapshot } from './secrets-snapshots.js';
+import { auditLog } from './secrets-audit.js';
+import { markRotated } from './secrets-metadata.js';
+import { classifySecret } from './secrets-providers.js';
+import { SecretsError } from './errors.js';
+/** Mask a NEW (just-entered) secret value for confirmation display. */
+export function maskNewValue(value) {
+    if (value.length <= 4)
+        return `*** (${value.length} chars)`;
+    if (value.length <= 12)
+        return `${value.slice(0, 2)}***${value.slice(-2)} (${value.length} chars)`;
+    return `${value.slice(0, 4)}…${value.slice(-4)} (${value.length} chars)`;
+}
+/** Validate against provider format if any. Returns null on pass, error string on fail. */
+export function validateFormat(value, provider) {
+    if (!provider?.format)
+        return null;
+    if (provider.format.test(value))
+        return null;
+    return `Value does not match ${provider.name} format (${provider.format.source})`;
+}
+/** Reject obvious placeholders / low-entropy strings. */
+export function checkEntropy(value) {
+    const lower = value.toLowerCase().trim();
+    const placeholders = [
+        'todo', 'changeme', 'change-me', 'change_me', 'placeholder',
+        'password', 'secret', 'changethis', 'change-this',
+        'foo', 'bar', 'baz', 'test', 'example', 'xxx', 'yyy', 'zzz',
+        'replace_me', 'replace-me', 'fixme',
+    ];
+    if (placeholders.includes(lower)) {
+        // Don't echo the rejected value — even an obvious placeholder might be
+        // an unintended paste of a real secret that just happened to start with
+        // a placeholder substring.
+        return `Value looks like a placeholder, not a real secret`;
+    }
+    if (value.length < 8) {
+        return `Value too short (${value.length} chars) — secrets should be ≥ 8 chars`;
+    }
+    if (/^(.)\1+$/.test(value)) {
+        return `Value is all the same character`;
+    }
+    return null;
+}
+export function parseEnv(plaintext) {
+    const lines = [];
+    for (const raw of plaintext.split('\n')) {
+        if (raw.trim() === '' || raw.trim().startsWith('#')) {
+            lines.push({ kind: 'raw', text: raw });
+            continue;
+        }
+        const eq = raw.indexOf('=');
+        if (eq < 0) {
+            lines.push({ kind: 'raw', text: raw });
+            continue;
+        }
+        lines.push({ kind: 'kv', key: raw.substring(0, eq), value: raw.substring(eq + 1) });
+    }
+    return lines;
+}
+export function serialiseEnv(lines) {
+    return lines
+        .map(l => (l.kind === 'kv' ? `${l.key}=${l.value}` : l.text))
+        .join('\n');
+}
+/**
+ * Apply a single secret update. For dual-mode strategies, the OLD value is
+ * preserved as <NAME>_PREVIOUS so the app can verify legacy tokens during
+ * the grace period. Returns the new env content.
+ */
+export function applyRotation(plaintext, key, newValue, strategy) {
+    const lines = parseEnv(plaintext);
+    const idx = lines.findIndex(l => l.kind === 'kv' && l.key === key);
+    if (idx < 0)
+        throw new SecretsError(`Key not found in env: ${key}`);
+    const existing = lines[idx];
+    if (existing.kind !== 'kv')
+        throw new SecretsError('Internal: kv expected');
+    if (strategy === 'dual-mode') {
+        const prevKey = `${key}_PREVIOUS`;
+        const oldValue = existing.value;
+        // Replace primary with new value
+        lines[idx] = { kind: 'kv', key, value: newValue };
+        // Insert/update the _PREVIOUS line right after the primary
+        const prevIdx = lines.findIndex(l => l.kind === 'kv' && l.key === prevKey);
+        if (prevIdx >= 0) {
+            lines[prevIdx] = { kind: 'kv', key: prevKey, value: oldValue };
+        }
+        else {
+            lines.splice(idx + 1, 0, { kind: 'kv', key: prevKey, value: oldValue });
+        }
+    }
+    else {
+        lines[idx] = { kind: 'kv', key, value: newValue };
+    }
+    return serialiseEnv(lines);
+}
+/**
+ * Full rotation pipeline. Caller is expected to have already collected and
+ * validated the new value via the interactive prompts. This orchestrates
+ * snapshot → seal → audit. Restart + health-gate are caller's responsibility
+ * (we want the engine pure-ish so it's easy to test).
+ */
+export function performRotation(app, key, newValue, opts = {}) {
+    const manifest = loadManifest();
+    const entry = manifest.apps[app];
+    if (!entry)
+        throw new SecretsError(`No app in manifest: ${app}`);
+    if (entry.type !== 'env') {
+        throw new SecretsError(`Rotation only supports env-type apps, got ${entry.type}`);
+    }
+    const provider = classifySecret(key);
+    const strategy = provider?.strategy ?? 'immediate';
+    if (strategy === 'user-issued') {
+        throw new SecretsError(`${key} is a user-issued token. Rotating yours doesn't help — invalidate per-user instead.`);
+    }
+    // Strict typed opt — was previously a substring match on opts.notes which
+    // could be bypassed by any caller embedding the flag in free-text notes.
+    if (strategy === 'at-rest-key' && !opts.dataMigrated) {
+        throw new SecretsError(`${key} encrypts data at rest. Re-encrypt your data first, then pass --data-migrated.`);
+    }
+    if (opts.dryRun) {
+        auditLog({ op: 'rotate-attempted', app, secret: key, ok: true, details: 'dry-run' });
+        return { app, key, strategy, snapshot: '(dry-run)', rolledBack: false };
+    }
+    // 1. Snapshot before any change.
+    const snapshot = snapshotApp(app);
+    auditLog({ op: 'snapshot', app, secret: key, ok: true, details: snapshot });
+    try {
+        // 2. Decrypt, apply rotation, re-encrypt.
+        const plaintext = decryptApp(app);
+        const updated = applyRotation(plaintext, key, newValue, strategy);
+        sealApp(app, updated, entry.sourceFile);
+        // 3. Stamp metadata.
+        markRotated(app, key, { strategy, notes: opts.notes });
+        auditLog({ op: 'rotate', app, secret: key, ok: true, details: `strategy=${strategy}` });
+        return { app, key, strategy, snapshot, rolledBack: false };
+    }
+    catch (err) {
+        const reason = err instanceof Error ? err.message : String(err);
+        // Restore from snapshot on any failure.
+        try {
+            restoreSnapshot(app);
+            auditLog({ op: 'rollback', app, secret: key, ok: true, details: `auto: ${reason}` });
+        }
+        catch (rollbackErr) {
+            auditLog({
+                op: 'rollback',
+                app,
+                secret: key,
+                ok: false,
+                details: `auto rollback also failed: ${rollbackErr}`,
+            });
+        }
+        auditLog({ op: 'rotate-failed', app, secret: key, ok: false, details: reason });
+        return { app, key, strategy, snapshot, rolledBack: true, reason };
+    }
+}

package/dist/core/secrets-snapshots.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Pre-rotation vault snapshots. Every destructive operation copies the
+ * current encrypted file to vault/.snapshots/<app>-<timestamp>.env.age
+ * BEFORE making changes. Restoration is one command.
+ *
+ * Snapshots are immutable (copy + atomic-rename pattern). Cleanup is
+ * manual via `fleet secrets snapshots prune` — we never auto-delete.
+ */
+export interface Snapshot {
+    app: string;
+    timestamp: string;
+    path: string;
+    sizeBytes: number;
+}
+/** Pre-rotation copy. Returns the absolute path to the snapshot. */
+export declare function snapshotApp(app: string): string;
+/** All snapshots for an app, newest first. */
+export declare function listSnapshots(app: string): Snapshot[];
+/**
+ * Restore a snapshot. Without a timestamp, uses the newest. Replaces the live
+ * vault file in-place. Returns the snapshot that was used.
+ */
+export declare function restoreSnapshot(app: string, timestamp?: string): Snapshot;
+/** Delete snapshots older than `keep` (count, newest kept). Returns # deleted. */
+export declare function pruneSnapshots(app: string, keep: number): number;
+export declare function getSnapshotDir(): string;

package/dist/core/secrets-snapshots.js

@@ -0,0 +1,95 @@
+/**
+ * Pre-rotation vault snapshots. Every destructive operation copies the
+ * current encrypted file to vault/.snapshots/<app>-<timestamp>.env.age
+ * BEFORE making changes. Restoration is one command.
+ *
+ * Snapshots are immutable (copy + atomic-rename pattern). Cleanup is
+ * manual via `fleet secrets snapshots prune` — we never auto-delete.
+ */
+import { existsSync, mkdirSync, copyFileSync, readdirSync, statSync, renameSync, unlinkSync } from 'node:fs';
+import { join } from 'node:path';
+import { loadManifest, VAULT_DIR } from './secrets.js';
+import { SecretsError } from './errors.js';
+// Computed lazily via snapshotDir() so test mocks of VAULT_DIR work cleanly.
+function snapshotDir() {
+    return join(VAULT_DIR, '.snapshots');
+}
+function ensureSnapshotDir() {
+    if (!existsSync(snapshotDir())) {
+        mkdirSync(snapshotDir(), { recursive: true, mode: 0o700 });
+    }
+}
+/** Pre-rotation copy. Returns the absolute path to the snapshot. */
+export function snapshotApp(app) {
+    ensureSnapshotDir();
+    const manifest = loadManifest();
+    const entry = manifest.apps[app];
+    if (!entry)
+        throw new SecretsError(`No app in manifest: ${app}`);
+    const src = join(VAULT_DIR, entry.encryptedFile);
+    if (!existsSync(src))
+        throw new SecretsError(`Vault file missing: ${entry.encryptedFile}`);
+    const ts = new Date().toISOString().replace(/[:.]/g, '-');
+    const dest = join(snapshotDir(), `${app}-${ts}.env.age`);
+    const tmp = dest + '.tmp';
+    copyFileSync(src, tmp);
+    renameSync(tmp, dest); // atomic
+    return dest;
+}
+/** All snapshots for an app, newest first. */
+export function listSnapshots(app) {
+    if (!existsSync(snapshotDir()))
+        return [];
+    const prefix = `${app}-`;
+    return readdirSync(snapshotDir())
+        .filter(f => f.startsWith(prefix) && f.endsWith('.env.age'))
+        .map(f => {
+        const path = join(snapshotDir(), f);
+        const ts = f.substring(prefix.length, f.length - '.env.age'.length);
+        return {
+            app,
+            timestamp: ts,
+            path,
+            sizeBytes: statSync(path).size,
+        };
+    })
+        .sort((a, b) => b.timestamp.localeCompare(a.timestamp));
+}
+/**
+ * Restore a snapshot. Without a timestamp, uses the newest. Replaces the live
+ * vault file in-place. Returns the snapshot that was used.
+ */
+export function restoreSnapshot(app, timestamp) {
+    const snaps = listSnapshots(app);
+    if (snaps.length === 0)
+        throw new SecretsError(`No snapshots for ${app}`);
+    const target = timestamp
+        ? snaps.find(s => s.timestamp === timestamp)
+        : snaps[0];
+    if (!target)
+        throw new SecretsError(`Snapshot not found: ${timestamp}`);
+    const manifest = loadManifest();
+    const entry = manifest.apps[app];
+    if (!entry)
+        throw new SecretsError(`No app in manifest: ${app}`);
+    const dest = join(VAULT_DIR, entry.encryptedFile);
+    // Atomic replace: copy → fsync → rename. A crash mid-restore leaves the
+    // original vault file intact (the tmp file is the only thing in flux).
+    const tmp = dest + '.restore.tmp';
+    copyFileSync(target.path, tmp);
+    renameSync(tmp, dest);
+    return target;
+}
+/** Delete snapshots older than `keep` (count, newest kept). Returns # deleted. */
+export function pruneSnapshots(app, keep) {
+    const snaps = listSnapshots(app);
+    if (snaps.length <= keep)
+        return 0;
+    const drop = snaps.slice(keep);
+    for (const s of drop)
+        unlinkSync(s.path);
+    return drop.length;
+}
+export function getSnapshotDir() {
+    return snapshotDir();
+}

package/dist/core/secrets-validate.js

@@ -43,7 +43,8 @@ export function validateApp(appName) {
     let composePath;
     let composeFile = null;
     if (appName === 'docker-databases') {
-        composePath = '/home/matt/docker-databases';
+        const reg = load();
+        composePath = reg.infrastructure.databases.composePath;
     }
     else {
         const reg = load();

package/dist/core/secrets.d.ts

@@ -1,6 +1,12 @@
-export declare const VAULT_DIR = "/home/matt/fleet/vault";
+export declare const VAULT_DIR: string;
 export declare const KEY_PATH = "/etc/fleet/age.key";
 export declare const RUNTIME_DIR = "/run/fleet-secrets";
+export interface SecretMetadata {
+    lastRotated: string;
+    provider?: string;
+    strategy?: 'immediate' | 'dual-mode' | 'at-rest-key' | 'user-issued';
+    notes?: string;
+}
 export interface ManifestEntry {
     type: 'env' | 'secrets-dir';
     encryptedFile: string;
@@ -8,6 +14,11 @@ export interface ManifestEntry {
     files?: string[];
     lastSealedAt: string;
     keyCount: number;
+    /** Per-secret metadata, keyed by secret name. Backwards-compatible: missing means
+     * lastRotated falls back to lastSealedAt and provider is auto-classified at read time. */
+    secrets?: Record<string, SecretMetadata>;
+    /** Per-app age recipient public key, used by harden --per-app to limit blast radius. */
+    recipient?: string;
 }
 export interface Manifest {
     version: number;

package/dist/core/secrets.js

@@ -1,17 +1,17 @@
 import { existsSync, readFileSync, writeFileSync, mkdirSync, readdirSync, chmodSync, rmSync, copyFileSync } from 'node:fs';
-import { join } from 'node:path';
-import { execSync } from 'node:child_process';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
 import { SecretsError, VaultNotInitializedError } from './errors.js';
-export const VAULT_DIR = '/home/matt/fleet/vault';
+import { execSafe } from './exec.js';
+import { assertAppName, assertFilePath } from './validate.js';
+const __dirname = dirname(fileURLToPath(import.meta.url));
+export const VAULT_DIR = join(__dirname, '..', '..', 'vault');
 export const KEY_PATH = '/etc/fleet/age.key';
 export const RUNTIME_DIR = '/run/fleet-secrets';
 const MANIFEST_PATH = join(VAULT_DIR, 'manifest.json');
 const SECRET_DELIMITER = '---SECRET:';
 export function ensureAge() {
-    try {
-        execSync('which age', { stdio: 'pipe' });
-    }
-    catch {
+    if (!execSafe('which', ['age']).ok) {
         throw new SecretsError('age not found. Install with: apt install age');
     }
 }
@@ -27,7 +27,10 @@ function requireInit() {
 }
 export function getPublicKey() {
     requireInit();
-    return execSync(`age-keygen -y ${KEY_PATH}`, { encoding: 'utf-8' }).trim();
+    const r = execSafe('age-keygen', ['-y', KEY_PATH]);
+    if (!r.ok)
+        throw new SecretsError(`Failed to read public key: ${r.stderr}`);
+    return r.stdout;
 }
 export function initVault() {
     ensureAge();
@@ -37,7 +40,9 @@ export function initVault() {
     if (!existsSync(keyDir)) {
         mkdirSync(keyDir, { recursive: true, mode: 0o700 });
     }
-    execSync(`age-keygen -o ${KEY_PATH} 2>/dev/null`);
+    const keygen = execSafe('age-keygen', ['-o', KEY_PATH]);
+    if (!keygen.ok)
+        throw new SecretsError(`Failed to generate key: ${keygen.stderr}`);
     chmodSync(KEY_PATH, 0o600);
     if (!existsSync(VAULT_DIR)) {
         mkdirSync(VAULT_DIR, { recursive: true });
@@ -49,7 +54,12 @@ export function loadManifest() {
     requireInit();
     if (!existsSync(MANIFEST_PATH))
         return { version: 1, apps: {} };
-    return JSON.parse(readFileSync(MANIFEST_PATH, 'utf-8'));
+    try {
+        return JSON.parse(readFileSync(MANIFEST_PATH, 'utf-8'));
+    }
+    catch {
+        return { apps: {} };
+    }
 }
 export function saveManifest(manifest) {
     writeFileSync(MANIFEST_PATH, JSON.stringify(manifest, null, 2) + '\n');
@@ -89,27 +99,27 @@ export function removeBackup(app) {
 }
 export function ageEncrypt(plaintext) {
     const pubkey = getPublicKey();
-    return execSync(`age -r ${pubkey} --armor`, {
-        input: plaintext,
-        encoding: 'utf-8',
-        maxBuffer: 10 * 1024 * 1024,
-    });
+    const r = execSafe('age', ['-r', pubkey, '--armor'], { input: plaintext });
+    if (!r.ok)
+        throw new SecretsError(`age encrypt failed: ${r.stderr}`);
+    return r.stdout;
 }
 export function ageDecrypt(ciphertext) {
-    return execSync(`age -d -i ${KEY_PATH}`, {
-        input: ciphertext,
-        encoding: 'utf-8',
-        maxBuffer: 10 * 1024 * 1024,
-    });
+    const r = execSafe('age', ['-d', '-i', KEY_PATH], { input: ciphertext.toString() });
+    if (!r.ok)
+        throw new SecretsError(`age decrypt failed: ${r.stderr}`);
+    return r.stdout;
 }
 export function ageDecryptFile(filePath) {
-    return execSync(`age -d -i ${KEY_PATH} "${filePath}"`, {
-        encoding: 'utf-8',
-        maxBuffer: 10 * 1024 * 1024,
-    });
+    assertFilePath(filePath);
+    const r = execSafe('age', ['-d', '-i', KEY_PATH, filePath]);
+    if (!r.ok)
+        throw new SecretsError(`age decrypt file failed: ${r.stderr}`);
+    return r.stdout;
 }
 export function sealApp(app, envContent, sourceFile) {
     requireInit();
+    assertAppName(app);
     const encrypted = ageEncrypt(envContent);
     const encFile = `${app}.env.age`;
     writeFileSync(join(VAULT_DIR, encFile), encrypted);
@@ -126,6 +136,7 @@ export function sealApp(app, envContent, sourceFile) {
 }
 export function sealDbSecrets(app, secretsMap, sourceDir) {
     requireInit();
+    assertAppName(app);
     const filenames = Object.keys(secretsMap).sort();
     const parts = filenames.map(f => `${SECRET_DELIMITER}${f}---\n${secretsMap[f]}`);
     const bundle = parts.join('\n');

package/dist/core/self-update.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Self-update check and apply for fleet itself.
+ *
+ * fleet is installed via `npm link`-style symlink from /usr/local/bin/fleet to
+ * /home/matt/fleet/dist/index.js. Updates are produced by:
+ *   1. git pull --ff-only origin develop  in /home/matt/fleet
+ *   2. npm run build  (rewrites dist/)
+ *
+ * checkForUpdate() does a non-blocking `git fetch` + compares HEAD with the
+ * remote. applyUpdate() runs the pull + build. Both are pure shell wrappers
+ * around execSafe — easy to mock in tests, easy to reason about under sudo.
+ */
+export interface UpdateInfo {
+    /** True if `git rev-parse @{u}` shows commits ahead of HEAD. */
+    available: boolean;
+    /** Number of commits HEAD is behind origin. 0 if up-to-date. */
+    behind: number;
+    /** Short subject of the latest remote commit (or empty string on failure). */
+    latestSubject: string;
+    /** Branch name in the local repo. */
+    branch: string;
+    /** Why the check failed, if it did. */
+    error?: string;
+}
+export interface UpdateResult {
+    ok: boolean;
+    pulled: number;
+    buildOk: boolean;
+    output: string;
+}
+/**
+ * Non-blocking check. Does a `git fetch` (timeboxed) then compares.
+ * Returns a stable UpdateInfo even on failure (just `available=false`).
+ */
+export declare function checkForUpdate(): Promise<UpdateInfo>;
+/**
+ * Apply: git pull --ff-only + npm run build. Refuses to run if the working
+ * tree is dirty (would clobber uncommitted changes). Returns aggregate output
+ * for the toast / TUI to surface.
+ */
+export declare function applyUpdate(): Promise<UpdateResult>;

package/dist/core/self-update.js

@@ -0,0 +1,73 @@
+/**
+ * Self-update check and apply for fleet itself.
+ *
+ * fleet is installed via `npm link`-style symlink from /usr/local/bin/fleet to
+ * /home/matt/fleet/dist/index.js. Updates are produced by:
+ *   1. git pull --ff-only origin develop  in /home/matt/fleet
+ *   2. npm run build  (rewrites dist/)
+ *
+ * checkForUpdate() does a non-blocking `git fetch` + compares HEAD with the
+ * remote. applyUpdate() runs the pull + build. Both are pure shell wrappers
+ * around execSafe — easy to mock in tests, easy to reason about under sudo.
+ */
+import { dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { execSafe } from './exec.js';
+const __dirname = dirname(fileURLToPath(import.meta.url));
+// dist/core/self-update.js → repo root is two ../
+const FLEET_REPO = process.env.FLEET_REPO_PATH ?? `${__dirname}/../..`;
+/**
+ * Non-blocking check. Does a `git fetch` (timeboxed) then compares.
+ * Returns a stable UpdateInfo even on failure (just `available=false`).
+ */
+export async function checkForUpdate() {
+    const branchR = execSafe('git', ['-C', FLEET_REPO, 'rev-parse', '--abbrev-ref', 'HEAD']);
+    if (!branchR.ok) {
+        return { available: false, behind: 0, latestSubject: '', branch: '?', error: branchR.stderr };
+    }
+    const branch = branchR.stdout;
+    // Fetch quietly, with a short timeout so we never block the TUI launch.
+    const fetchR = execSafe('git', ['-C', FLEET_REPO, 'fetch', '--quiet', 'origin', branch], { timeout: 8_000 });
+    if (!fetchR.ok) {
+        return { available: false, behind: 0, latestSubject: '', branch, error: 'fetch failed' };
+    }
+    const countR = execSafe('git', ['-C', FLEET_REPO, 'rev-list', '--count', `HEAD..origin/${branch}`]);
+    if (!countR.ok) {
+        return { available: false, behind: 0, latestSubject: '', branch, error: countR.stderr };
+    }
+    const behind = parseInt(countR.stdout, 10) || 0;
+    let latestSubject = '';
+    if (behind > 0) {
+        const subR = execSafe('git', ['-C', FLEET_REPO, 'log', '-1', '--pretty=%s', `origin/${branch}`]);
+        latestSubject = subR.ok ? subR.stdout : '';
+    }
+    return { available: behind > 0, behind, latestSubject, branch };
+}
+/**
+ * Apply: git pull --ff-only + npm run build. Refuses to run if the working
+ * tree is dirty (would clobber uncommitted changes). Returns aggregate output
+ * for the toast / TUI to surface.
+ */
+export async function applyUpdate() {
+    const dirty = execSafe('git', ['-C', FLEET_REPO, 'status', '--porcelain']);
+    if (dirty.ok && dirty.stdout.length > 0) {
+        return {
+            ok: false, pulled: 0, buildOk: false,
+            output: 'Refusing to update: working tree is dirty. Commit or stash first.',
+        };
+    }
+    const pre = execSafe('git', ['-C', FLEET_REPO, 'rev-parse', 'HEAD']);
+    const pull = execSafe('git', ['-C', FLEET_REPO, 'pull', '--ff-only'], { timeout: 30_000 });
+    if (!pull.ok) {
+        return { ok: false, pulled: 0, buildOk: false, output: pull.stderr || pull.stdout };
+    }
+    const post = execSafe('git', ['-C', FLEET_REPO, 'rev-parse', 'HEAD']);
+    const pulled = pre.stdout !== post.stdout ? 1 : 0; // 1 = something updated
+    const build = execSafe('npm', ['run', 'build'], { cwd: FLEET_REPO, timeout: 120_000 });
+    return {
+        ok: pull.ok && build.ok,
+        pulled,
+        buildOk: build.ok,
+        output: pulled === 0 ? 'Already up to date.' : (build.ok ? 'Updated + rebuilt.' : build.stderr),
+    };
+}

package/dist/core/systemd.js

@@ -1,9 +1,10 @@
 import { existsSync, readFileSync, writeFileSync } from 'node:fs';
-import { exec } from './exec.js';
+import { execSafe } from './exec.js';
+import { assertServiceName } from './validate.js';
 let _systemdAvailable = null;
 export function systemdAvailable() {
     if (_systemdAvailable === null) {
-        const result = exec('systemctl is-system-running');
+        const result = execSafe('systemctl', ['is-system-running']);
         // Returns "running", "degraded", etc. when systemd is PID 1.
         // Returns "offline" when not booted with systemd.
         _systemdAvailable = result.ok || result.stdout === 'degraded';
@@ -21,7 +22,11 @@ function parseSystemctlShow(output) {
     return props;
 }
 export function getServiceStatus(serviceName) {
-    const result = exec(`systemctl show ${serviceName}.service --property=ActiveState,UnitFileState,Description --no-pager`);
+    assertServiceName(serviceName);
+    const result = execSafe('systemctl', [
+        'show', `${serviceName}.service`,
+        '--property=ActiveState,UnitFileState,Description', '--no-pager',
+    ]);
     const props = parseSystemctlShow(result.stdout);
     return {
         name: serviceName,
@@ -34,8 +39,13 @@ export function getServiceStatus(serviceName) {
 export function getMultipleServiceStatuses(serviceNames) {
     if (serviceNames.length === 0)
         return new Map();
-    const args = serviceNames.map(n => `${n}.service`).join(' ');
-    const result = exec(`systemctl show ${args} --property=Id,ActiveState,UnitFileState,Description --no-pager`, { timeout: 15_000 });
+    for (const n of serviceNames)
+        assertServiceName(n);
+    const units = serviceNames.map(n => `${n}.service`);
+    const result = execSafe('systemctl', [
+        'show', ...units,
+        '--property=Id,ActiveState,UnitFileState,Description', '--no-pager',
+    ], { timeout: 15_000 });
     const map = new Map();
     if (!result.stdout)
         return map;
@@ -58,24 +68,29 @@ export function getMultipleServiceStatuses(serviceNames) {
     return map;
 }
 export function startService(serviceName) {
-    return exec(`systemctl start ${serviceName}.service`, { timeout: 60_000 }).ok;
+    assertServiceName(serviceName);
+    return execSafe('systemctl', ['start', `${serviceName}.service`], { timeout: 60_000 }).ok;
 }
 export function stopService(serviceName) {
-    return exec(`systemctl stop ${serviceName}.service`, { timeout: 60_000 }).ok;
+    assertServiceName(serviceName);
+    return execSafe('systemctl', ['stop', `${serviceName}.service`], { timeout: 60_000 }).ok;
 }
 export function restartService(serviceName) {
-    return exec(`systemctl restart ${serviceName}.service`, { timeout: 120_000 }).ok;
+    assertServiceName(serviceName);
+    return execSafe('systemctl', ['restart', `${serviceName}.service`], { timeout: 120_000 }).ok;
 }
 export function enableService(serviceName) {
-    return exec(`systemctl enable ${serviceName}.service`).ok;
+    assertServiceName(serviceName);
+    return execSafe('systemctl', ['enable', `${serviceName}.service`]).ok;
 }
 export function disableService(serviceName) {
-    return exec(`systemctl disable ${serviceName}.service`).ok;
+    assertServiceName(serviceName);
+    return execSafe('systemctl', ['disable', `${serviceName}.service`]).ok;
 }
 export function installServiceFile(serviceName, content) {
     const path = `/etc/systemd/system/${serviceName}.service`;
     writeFileSync(path, content);
-    exec('systemctl daemon-reload');
+    execSafe('systemctl', ['daemon-reload']);
 }
 export function readServiceFile(serviceName) {
     const path = `/etc/systemd/system/${serviceName}.service`;
@@ -84,7 +99,9 @@ export function readServiceFile(serviceName) {
     return readFileSync(path, 'utf-8');
 }
 export function discoverServices() {
-    const result = exec('systemctl list-units --type=service --state=active --no-legend --no-pager', { timeout: 10_000 });
+    const result = execSafe('systemctl', [
+        'list-units', '--type=service', '--state=active', '--no-legend', '--no-pager',
+    ], { timeout: 10_000 });
     if (!result.ok)
         return [];
     return result.stdout.split('\n')

package/dist/core/telegram.d.ts

@@ -0,0 +1,6 @@
+export interface TelegramConfig {
+    botToken: string;
+    chatId: string;
+}
+export declare function loadTelegramConfig(): TelegramConfig | null;
+export declare function sendTelegram(config: TelegramConfig, message: string): Promise<boolean>;