npm - @matthesketh/fleet - Versions diffs - 1.1.0 → 1.6.0 - Mend

@matthesketh/fleet 1.1.0 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (217) hide show

package/README.md +183 -251
package/dist/adapters/detector/index.d.ts +8 -0
package/dist/adapters/detector/index.js +54 -0
package/dist/adapters/notifier/index.d.ts +2 -0
package/dist/adapters/notifier/index.js +2 -0
package/dist/adapters/notifier/stdout.d.ts +2 -0
package/dist/adapters/notifier/stdout.js +8 -0
package/dist/adapters/notifier/webhook.d.ts +9 -0
package/dist/adapters/notifier/webhook.js +38 -0
package/dist/adapters/runner/claude-cli.d.ts +7 -0
package/dist/adapters/runner/claude-cli.js +231 -0
package/dist/adapters/runner/mcp-call.d.ts +8 -0
package/dist/adapters/runner/mcp-call.js +82 -0
package/dist/adapters/runner/shell.d.ts +2 -0
package/dist/adapters/runner/shell.js +103 -0
package/dist/adapters/scheduler/systemd-timer.d.ts +17 -0
package/dist/adapters/scheduler/systemd-timer.js +149 -0
package/dist/adapters/signals/ci-status.d.ts +2 -0
package/dist/adapters/signals/ci-status.js +79 -0
package/dist/adapters/signals/container-up.d.ts +5 -0
package/dist/adapters/signals/container-up.js +54 -0
package/dist/adapters/signals/git-clean.d.ts +2 -0
package/dist/adapters/signals/git-clean.js +55 -0
package/dist/adapters/signals/index.d.ts +6 -0
package/dist/adapters/signals/index.js +7 -0
package/dist/adapters/types.d.ts +52 -0
package/dist/adapters/types.js +1 -0
package/dist/cli.js +43 -2
package/dist/commands/add.js +0 -6
package/dist/commands/boot-start.d.ts +1 -0
package/dist/commands/boot-start.js +51 -0
package/dist/commands/deploy.js +13 -0
package/dist/commands/deps.js +5 -0
package/dist/commands/egress.d.ts +1 -0
package/dist/commands/egress.js +106 -0
package/dist/commands/freeze.d.ts +4 -0
package/dist/commands/freeze.js +64 -0
package/dist/commands/logs.d.ts +1 -1
package/dist/commands/logs.js +237 -8
package/dist/commands/patch-systemd.d.ts +1 -0
package/dist/commands/patch-systemd.js +126 -0
package/dist/commands/rollback.d.ts +1 -0
package/dist/commands/rollback.js +58 -0
package/dist/commands/routine-run.d.ts +1 -0
package/dist/commands/routine-run.js +122 -0
package/dist/commands/routines.d.ts +1 -0
package/dist/commands/routines.js +25 -0
package/dist/commands/secrets.js +449 -16
package/dist/commands/status.js +7 -3
package/dist/commands/watchdog.d.ts +1 -1
package/dist/commands/watchdog.js +16 -40
package/dist/core/boot-refresh.d.ts +57 -0
package/dist/core/boot-refresh.js +116 -0
package/dist/core/deps/actors/pr-creator.js +11 -9
package/dist/core/deps/collectors/docker-running.js +2 -2
package/dist/core/deps/collectors/github-pr.js +5 -2
package/dist/core/deps/collectors/npm.js +10 -5
package/dist/core/deps/collectors/vulnerability.js +10 -6
package/dist/core/deps/reporters/motd.js +1 -1
package/dist/core/deps/reporters/telegram.js +2 -29
package/dist/core/docker.js +45 -15
package/dist/core/egress.d.ts +41 -0
package/dist/core/egress.js +161 -0
package/dist/core/exec.d.ts +7 -1
package/dist/core/exec.js +25 -17
package/dist/core/git.d.ts +1 -0
package/dist/core/git.js +36 -23
package/dist/core/github.js +27 -8
package/dist/core/health.d.ts +3 -0
package/dist/core/health.js +15 -3
package/dist/core/logs-multi.d.ts +73 -0
package/dist/core/logs-multi.js +163 -0
package/dist/core/logs-policy.d.ts +55 -0
package/dist/core/logs-policy.js +148 -0
package/dist/core/nginx.js +8 -4
package/dist/core/notify.d.ts +15 -0
package/dist/core/notify.js +55 -0
package/dist/core/registry.d.ts +25 -0
package/dist/core/registry.js +57 -10
package/dist/core/routines/cost-queries.d.ts +24 -0
package/dist/core/routines/cost-queries.js +65 -0
package/dist/core/routines/db.d.ts +9 -0
package/dist/core/routines/db.js +126 -0
package/dist/core/routines/defaults.d.ts +2 -0
package/dist/core/routines/defaults.js +72 -0
package/dist/core/routines/engine.d.ts +59 -0
package/dist/core/routines/engine.js +175 -0
package/dist/core/routines/incidents.d.ts +13 -0
package/dist/core/routines/incidents.js +35 -0
package/dist/core/routines/schema.d.ts +418 -0
package/dist/core/routines/schema.js +113 -0
package/dist/core/routines/signals-collector.d.ts +35 -0
package/dist/core/routines/signals-collector.js +114 -0
package/dist/core/routines/store.d.ts +316 -0
package/dist/core/routines/store.js +99 -0
package/dist/core/routines/test-utils.d.ts +2 -0
package/dist/core/routines/test-utils.js +13 -0
package/dist/core/secrets-audit.d.ts +21 -0
package/dist/core/secrets-audit.js +60 -0
package/dist/core/secrets-metadata.d.ts +39 -0
package/dist/core/secrets-metadata.js +82 -0
package/dist/core/secrets-motd.d.ts +20 -0
package/dist/core/secrets-motd.js +72 -0
package/dist/core/secrets-ops.d.ts +3 -1
package/dist/core/secrets-ops.js +78 -13
package/dist/core/secrets-providers.d.ts +50 -0
package/dist/core/secrets-providers.js +291 -0
package/dist/core/secrets-rotation.d.ts +52 -0
package/dist/core/secrets-rotation.js +165 -0
package/dist/core/secrets-snapshots.d.ts +26 -0
package/dist/core/secrets-snapshots.js +95 -0
package/dist/core/secrets-validate.js +2 -1
package/dist/core/secrets.d.ts +12 -1
package/dist/core/secrets.js +35 -24
package/dist/core/self-update.d.ts +41 -0
package/dist/core/self-update.js +73 -0
package/dist/core/systemd.js +29 -12
package/dist/core/telegram.d.ts +6 -0
package/dist/core/telegram.js +32 -0
package/dist/core/validate.d.ts +7 -0
package/dist/core/validate.js +42 -0
package/dist/index.js +0 -4
package/dist/mcp/deps-tools.js +9 -1
package/dist/mcp/git-tools.js +4 -4
package/dist/mcp/server.js +193 -8
package/dist/templates/systemd.js +3 -3
package/dist/templates/unseal.js +5 -1
package/dist/tui/components/Confirm.js +3 -4
package/dist/tui/components/Header.js +37 -8
package/dist/tui/components/KeyHint.js +14 -5
package/dist/tui/exec-bridge.js +26 -12
package/dist/tui/hooks/use-fleet-data.js +5 -2
package/dist/tui/hooks/use-health.js +5 -2
package/dist/tui/hooks/use-terminal-size.d.ts +1 -0
package/dist/tui/hooks/use-terminal-size.js +1 -0
package/dist/tui/router.js +133 -8
package/dist/tui/routines/RoutinesApp.d.ts +8 -0
package/dist/tui/routines/RoutinesApp.js +277 -0
package/dist/tui/routines/components/AlertsPanel.d.ts +7 -0
package/dist/tui/routines/components/AlertsPanel.js +22 -0
package/dist/tui/routines/components/AlertsPanel.test.d.ts +1 -0
package/dist/tui/routines/components/AlertsPanel.test.js +52 -0
package/dist/tui/routines/components/CommandPalette.d.ts +12 -0
package/dist/tui/routines/components/CommandPalette.js +21 -0
package/dist/tui/routines/components/LiveRunPanel.d.ts +12 -0
package/dist/tui/routines/components/LiveRunPanel.js +107 -0
package/dist/tui/routines/components/RoutineForm.d.ts +8 -0
package/dist/tui/routines/components/RoutineForm.js +254 -0
package/dist/tui/routines/components/SignalsGrid.d.ts +13 -0
package/dist/tui/routines/components/SignalsGrid.js +34 -0
package/dist/tui/routines/components/SignalsGrid.test.d.ts +1 -0
package/dist/tui/routines/components/SignalsGrid.test.js +43 -0
package/dist/tui/routines/format.d.ts +7 -0
package/dist/tui/routines/format.js +51 -0
package/dist/tui/routines/hooks/use-git-fleet.d.ts +33 -0
package/dist/tui/routines/hooks/use-git-fleet.js +82 -0
package/dist/tui/routines/hooks/use-logs-stream.d.ts +13 -0
package/dist/tui/routines/hooks/use-logs-stream.js +64 -0
package/dist/tui/routines/hooks/use-ops-fleet.d.ts +20 -0
package/dist/tui/routines/hooks/use-ops-fleet.js +70 -0
package/dist/tui/routines/hooks/use-repo-detail.d.ts +31 -0
package/dist/tui/routines/hooks/use-repo-detail.js +104 -0
package/dist/tui/routines/hooks/use-security.d.ts +33 -0
package/dist/tui/routines/hooks/use-security.js +110 -0
package/dist/tui/routines/hooks/use-signals.d.ts +9 -0
package/dist/tui/routines/hooks/use-signals.js +60 -0
package/dist/tui/routines/runtime.d.ts +20 -0
package/dist/tui/routines/runtime.js +40 -0
package/dist/tui/routines/tabs/CostTab.d.ts +7 -0
package/dist/tui/routines/tabs/CostTab.js +24 -0
package/dist/tui/routines/tabs/DashboardTab.d.ts +15 -0
package/dist/tui/routines/tabs/DashboardTab.js +10 -0
package/dist/tui/routines/tabs/GitTab.d.ts +6 -0
package/dist/tui/routines/tabs/GitTab.js +39 -0
package/dist/tui/routines/tabs/LogsTab.d.ts +6 -0
package/dist/tui/routines/tabs/LogsTab.js +58 -0
package/dist/tui/routines/tabs/OpsTab.d.ts +6 -0
package/dist/tui/routines/tabs/OpsTab.js +34 -0
package/dist/tui/routines/tabs/RepoDetailView.d.ts +6 -0
package/dist/tui/routines/tabs/RepoDetailView.js +12 -0
package/dist/tui/routines/tabs/RoutinesTab.d.ts +10 -0
package/dist/tui/routines/tabs/RoutinesTab.js +58 -0
package/dist/tui/routines/tabs/ScaffoldTab.d.ts +2 -0
package/dist/tui/routines/tabs/ScaffoldTab.js +127 -0
package/dist/tui/routines/tabs/SecurityTab.d.ts +6 -0
package/dist/tui/routines/tabs/SecurityTab.js +31 -0
package/dist/tui/routines/tabs/SettingsTab.d.ts +6 -0
package/dist/tui/routines/tabs/SettingsTab.js +61 -0
package/dist/tui/routines/tabs/TimelineTab.d.ts +7 -0
package/dist/tui/routines/tabs/TimelineTab.js +26 -0
package/dist/tui/state.js +16 -1
package/dist/tui/tests/flicker.test.d.ts +1 -0
package/dist/tui/tests/flicker.test.js +105 -0
package/dist/tui/tests/keyboard-integration.test.d.ts +1 -0
package/dist/tui/tests/keyboard-integration.test.js +120 -0
package/dist/tui/tests/test-app.d.ts +4 -0
package/dist/tui/tests/test-app.js +79 -0
package/dist/tui/types.d.ts +14 -1
package/dist/tui/views/AppDetail.js +40 -26
package/dist/tui/views/Dashboard.js +34 -9
package/dist/tui/views/HealthView.js +42 -12
package/dist/tui/views/LogsView.js +38 -10
package/dist/tui/views/MultiLogsView.d.ts +2 -0
package/dist/tui/views/MultiLogsView.js +165 -0
package/dist/tui/views/SecretEdit.js +18 -7
package/dist/tui/views/SecretsView.js +55 -39
package/dist/ui/prompt.d.ts +52 -0
package/dist/ui/prompt.js +169 -0
package/package.json +33 -5
package/dist/commands/motd.d.ts +0 -1
package/dist/commands/motd.js +0 -10
package/dist/templates/motd.d.ts +0 -1
package/dist/templates/motd.js +0 -7
package/dist/tui/components/AppList.d.ts +0 -12
package/dist/tui/components/AppList.js +0 -32
package/dist/tui/hooks/use-keyboard.d.ts +0 -1
package/dist/tui/hooks/use-keyboard.js +0 -44

package/dist/commands/secrets.js CHANGED Viewed

@@ -1,16 +1,28 @@
-import { writeFileSync } from 'node:fs';
+import { writeFileSync, chmodSync } from 'node:fs';
 import { join } from 'node:path';
-import { execSync } from 'node:child_process';
+import { execSafe } from '../core/exec.js';
 import { SecretsError } from '../core/errors.js';
 import { load, findApp } from '../core/registry.js';
 import { initVault, loadManifest, listSecrets } from '../core/secrets.js';
-import { setSecret, getSecret, importEnvFile, importDbSecrets, exportApp, unsealAll, sealFromRuntime, rotateKey, getStatus, detectDrift, } from '../core/secrets-ops.js';
+import { enumerateSecrets, enumerateAllSecrets } from '../core/secrets-metadata.js';
+import { setSecret, getSecret, importEnvFile, importDbSecrets, exportApp, sealFromRuntime, rotateKey, getStatus, detectDrift, } from '../core/secrets-ops.js';
 import { restoreVaultFile } from '../core/secrets.js';
 import { generateUnsealService } from '../templates/unseal.js';
 import { validateApp, validateAll } from '../core/secrets-validate.js';
 import { confirm } from '../ui/confirm.js';
+import { prompt, promptHidden } from '../ui/prompt.js';
 import { c, heading, table, success, error, info, warn } from '../ui/output.js';
-const DB_SECRETS_DIR = '/home/matt/docker-databases/secrets';
+import { performRotation, validateFormat, checkEntropy, maskNewValue, } from '../core/secrets-rotation.js';
+import { unsealAll } from '../core/secrets-ops.js';
+import { restartService } from '../core/systemd.js';
+import { checkHealth } from '../core/health.js';
+import { listSnapshots, restoreSnapshot, snapshotApp } from '../core/secrets-snapshots.js';
+import { auditLog } from '../core/secrets-audit.js';
+import { summariseSecrets, formatSecretsMotd, generateSecretsMotdScript } from '../core/secrets-motd.js';
+function getDbSecretsDir() {
+    const reg = load();
+    return join(reg.infrastructure.databases.composePath, 'secrets');
+}
 export async function secretsCommand(args) {
     const sub = args[0];
     const rest = args.slice(1);
@@ -24,13 +36,18 @@ export async function secretsCommand(args) {
         case 'seal': return secretsSeal(rest);
         case 'unseal': return secretsUnseal();
         case 'rotate': return secretsRotate(rest);
+        case 'rotate-key': return secretsRotateKey(rest);
+        case 'ages': return secretsAges(rest);
         case 'validate': return secretsValidate(rest);
         case 'status': return secretsStatus(rest);
         case 'drift': return secretsDrift(rest);
         case 'restore': return secretsRestore(rest);
+        case 'rollback': return secretsRollback(rest);
+        case 'snapshots': return secretsSnapshots(rest);
+        case 'motd-init': return secretsMotdInit();
         case 'seal-runtime': return secretsSeal(rest);
         default:
-            error('Usage: fleet secrets <init|list|set|get|import|export|seal|unseal|rotate|validate|status|drift|restore>');
+            error('Usage: fleet secrets <init|list|set|get|import|export|seal|unseal|rotate|rotate-key|ages|rollback|snapshots|validate|status|drift|restore>');
             process.exit(1);
     }
 }
@@ -41,8 +58,8 @@ function secretsInit() {
     const serviceContent = generateUnsealService();
     const servicePath = '/etc/systemd/system/fleet-unseal.service';
     writeFileSync(servicePath, serviceContent);
-    execSync('systemctl daemon-reload');
-    execSync('systemctl enable fleet-unseal');
+    execSafe('systemctl', ['daemon-reload']);
+    execSafe('systemctl', ['enable', 'fleet-unseal']);
     success('Installed fleet-unseal.service');
 }
 function secretsList(args) {
@@ -76,14 +93,43 @@ function secretsList(args) {
     table(['APP', 'TYPE', 'KEYS', 'LAST SEALED'], rows);
     process.stdout.write('\n');
 }
-function secretsSet(args) {
-    const [app, key, ...valueParts] = args;
-    const value = valueParts.join(' ');
-    if (!app || !key || !value) {
-        error('Usage: fleet secrets set <app> <KEY> <VALUE>');
+async function secretsSet(args) {
+    // Strip flags. Positional layout: <app> <KEY>. Value comes from interactive
+    // prompt (default) or stdin (--from-stdin). The legacy 'value as argv' form
+    // is REJECTED — argv is world-readable via /proc/<pid>/cmdline + lands in
+    // shell history, the exact leak class this branch was built to prevent.
+    const fromStdin = args.includes('--from-stdin');
+    const allowWeak = args.includes('--allow-weak');
+    const positional = args.filter(a => !a.startsWith('-'));
+    const [app, key, ...rest] = positional;
+    if (!app || !key) {
+        error('Usage: fleet secrets set <app> <KEY> [--from-stdin] [--allow-weak]');
+        error('       (interactive paste is the default — value is NEVER passed in argv)');
+        process.exit(1);
+    }
+    if (rest.length > 0) {
+        error('Refusing to take a secret value from argv (visible in /proc/<pid>/cmdline + shell history).');
+        error('Use the interactive prompt or pipe via --from-stdin:');
+        error(`  fleet secrets set ${app} ${key}                          # interactive`);
+        error(`  printf '%s' "$NEW_VALUE" | fleet secrets set ${app} ${key} --from-stdin`);
         process.exit(1);
     }
-    setSecret(app, key, value);
+    let value;
+    if (fromStdin) {
+        const chunks = [];
+        process.stdin.setEncoding('utf8');
+        for await (const chunk of process.stdin)
+            chunks.push(chunk);
+        value = chunks.join('').replace(/\r?\n$/, ''); // strip trailing newline
+    }
+    else {
+        value = await promptHidden(`Paste new value for ${key} (input hidden)`);
+    }
+    if (!value) {
+        error('Empty value — aborting');
+        process.exit(1);
+    }
+    setSecret(app, key, value, { allowWeak });
     success(`Set ${key} for ${app}`);
 }
 function secretsGet(args) {
@@ -107,7 +153,7 @@ function secretsImport(args) {
         process.exit(1);
     }
     if (app === 'docker-databases') {
-        const dir = pathArg || DB_SECRETS_DIR;
+        const dir = pathArg || getDbSecretsDir();
         const count = importDbSecrets(app, dir);
         success(`Imported ${count} secret files from ${dir}`);
         return;
@@ -148,9 +194,9 @@ function secretsSeal(args) {
         success(`Sealed ${a}`);
     }
 }
-async function secretsRotate(args) {
+async function secretsRotateKey(args) {
     const yes = args.includes('-y') || args.includes('--yes');
-    if (!yes && !await confirm('Rotate age key? This will re-encrypt all secrets.')) {
+    if (!yes && !await confirm('Rotate AGE master key? This will re-encrypt all secrets.')) {
         info('Cancelled');
         return;
     }
@@ -161,6 +207,302 @@ async function secretsRotate(args) {
     info(`Re-encrypted ${result.appsRotated.length} apps`);
     warn('Run "fleet secrets unseal" to update runtime secrets');
 }
+function parseRotateArgs(args) {
+    const opts = {
+        dryRun: args.includes('--dry-run'),
+        noRestart: args.includes('--no-restart'),
+        dataMigrated: args.includes('--data-migrated'),
+    };
+    const positional = args.filter(a => !a.startsWith('-'));
+    return { app: positional[0], key: positional[1], opts };
+}
+/**
+ * Walk one secret through the interactive rotation flow. Returns true if
+ * a rotation was performed (regardless of success/rollback), false on skip.
+ */
+async function rotateOneInteractive(app, secret, opts) {
+    const provider = secret.provider;
+    const sensTag = provider
+        ? { critical: c.red, high: c.yellow, medium: c.blue, low: c.dim }[provider.sensitivity] + provider.sensitivity + c.reset
+        : `${c.dim}unclassified${c.reset}`;
+    process.stdout.write(`\n${c.bold}━━━ ${secret.name} ━━━${c.reset}\n`);
+    info(`Current: ${c.dim}${secret.maskedValue}${c.reset}  age: ${secret.ageDays ?? '?'}d  sens: ${sensTag}`);
+    if (provider) {
+        info(`Provider: ${provider.name}`);
+        info(`Strategy: ${provider.strategy}`);
+        if (provider.url)
+            info(`Regen URL: ${c.cyan}${provider.url}${c.reset}`);
+    }
+    const action = await prompt('  [r]otate / [s]kip / [q]uit', 's');
+    const a = action.toLowerCase().slice(0, 1);
+    if (a === 'q') {
+        info('Quitting rotation walkthrough.');
+        process.exit(0);
+    }
+    if (a !== 'r') {
+        info(`Skipped ${secret.name}`);
+        return { acted: false, succeeded: false };
+    }
+    // Strategy gates BEFORE asking for a value — saves user effort.
+    if (provider?.strategy === 'user-issued') {
+        error(`${secret.name} is user-issued. Rotate per-user inside your app, not here.`);
+        return { acted: false, succeeded: false };
+    }
+    if (provider?.strategy === 'at-rest-key' && !opts.dataMigrated) {
+        warn(`${secret.name} encrypts data at rest.`);
+        warn('Re-encrypt your data first, then re-run with --data-migrated');
+        return { acted: false, succeeded: false };
+    }
+    if (provider?.strategy === 'dual-mode') {
+        warn(`Dual-mode rotation: old value will be kept as ${secret.name}_PREVIOUS for the grace period.`);
+        warn('Your app MUST read both values for verification, otherwise existing tokens become invalid.');
+        if (!await confirm('Has your app been updated to read the _PREVIOUS variant?', false)) {
+            info('Skipping — update your app first, then re-run.');
+            return { acted: false, succeeded: false };
+        }
+    }
+    if (provider?.instructions) {
+        process.stdout.write(`\n${c.bold}Steps:${c.reset}\n`);
+        for (const line of provider.instructions.split('\n'))
+            process.stdout.write(`  ${line}\n`);
+    }
+    let newValue;
+    while (true) {
+        newValue = await promptHidden(`Paste new ${secret.name} (input hidden)`);
+        if (!newValue) {
+            info('Empty value — skipping');
+            return { acted: false, succeeded: false };
+        }
+        const formatErr = validateFormat(newValue, provider);
+        const entropyErr = checkEntropy(newValue);
+        if (formatErr) {
+            error(formatErr);
+            if (!await confirm('Try again?', true))
+                return { acted: false, succeeded: false };
+            continue;
+        }
+        if (entropyErr) {
+            error(entropyErr);
+            if (!await confirm('Try again?', true))
+                return { acted: false, succeeded: false };
+            continue;
+        }
+        break;
+    }
+    info(`New value: ${maskNewValue(newValue)}`);
+    if (!await confirm('Apply rotation?', false)) {
+        info('Cancelled');
+        return { acted: false, succeeded: false };
+    }
+    const result = performRotation(app, secret.name, newValue, {
+        dryRun: opts.dryRun,
+        dataMigrated: opts.dataMigrated,
+    });
+    if (result.rolledBack) {
+        error(`${secret.name}: rotation FAILED — auto-rolled back. Reason: ${result.reason}`);
+        return { acted: true, succeeded: false };
+    }
+    if (opts.dryRun) {
+        success(`${secret.name}: dry-run — vault NOT modified`);
+    }
+    else {
+        success(`${secret.name}: rotated  (snapshot: ${result.snapshot.split('/').pop()})`);
+    }
+    return { acted: true, succeeded: true };
+}
+async function secretsRotate(args) {
+    const { app, key, opts } = parseRotateArgs(args);
+    if (!app) {
+        error('Usage: fleet secrets rotate <app> [<KEY>] [--dry-run] [--data-migrated] [--no-restart]');
+        error('       fleet secrets rotate-key   (legacy: rotate the AGE master key)');
+        process.exit(1);
+    }
+    const manifest = loadManifest();
+    if (!manifest.apps[app]) {
+        error(`No app in vault: ${app}`);
+        process.exit(1);
+    }
+    let secrets = enumerateSecrets(app);
+    if (key) {
+        secrets = secrets.filter(s => s.name === key);
+        if (secrets.length === 0) {
+            error(`No secret named ${key} in ${app}`);
+            process.exit(1);
+        }
+    }
+    heading(`Rotate ${key ? `${key} in ${app}` : `secrets in ${app}`}${opts.dryRun ? ' [DRY-RUN]' : ''}`);
+    info(`${secrets.length} secret(s) to walk through. Empty answer = skip; "q" = quit.`);
+    let acted = 0;
+    let succeeded = 0;
+    for (const s of secrets) {
+        const r = await rotateOneInteractive(app, s, opts);
+        if (r.acted)
+            acted++;
+        if (r.succeeded)
+            succeeded++;
+    }
+    process.stdout.write('\n');
+    if (acted === 0) {
+        info('No rotations performed.');
+        return;
+    }
+    if (opts.dryRun) {
+        success(`Dry-run complete: ${succeeded}/${acted} would-rotate (no changes made)`);
+        return;
+    }
+    // Apply runtime: re-unseal so /run/fleet-secrets has the new values.
+    info('Re-unsealing vault to /run/fleet-secrets...');
+    unsealAll();
+    success('Runtime updated');
+    // Restart + health gate (unless --no-restart).
+    if (opts.noRestart) {
+        warn('Skipping restart (--no-restart). Restart manually with `fleet restart ' + app + '`');
+        return;
+    }
+    const reg = load();
+    const appEntry = findApp(reg, app);
+    if (!appEntry) {
+        warn(`App ${app} not in registry — skipping restart + health gate.`);
+        return;
+    }
+    info(`Restarting ${app}...`);
+    if (!restartService(appEntry.serviceName)) {
+        error(`Restart failed for ${app}. Check logs.`);
+        return;
+    }
+    success(`${app} restarted`);
+    // Brief health gate.
+    info('Waiting 5s then checking health...');
+    await new Promise(r => setTimeout(r, 5000));
+    try {
+        const h = checkHealth(appEntry);
+        if (h.containers.every(ct => ct.running && (ct.health === 'healthy' || ct.health === 'none' || ct.health === ''))) {
+            success(`${app} healthy after rotation`);
+        }
+        else {
+            warn(`${app} health: not all containers happy. Run: fleet health ${app}`);
+        }
+    }
+    catch (e) {
+        warn(`Could not check health: ${e instanceof Error ? e.message : String(e)}`);
+    }
+}
+function parseAgesOpts(args) {
+    const opts = {
+        json: args.includes('--json'),
+        staleOnly: args.includes('--stale-only') || args.includes('--stale'),
+    };
+    const app = args.find(a => !a.startsWith('-'));
+    return { app, opts };
+}
+function statusLabel(s) {
+    if (!s.provider)
+        return `${c.dim}unknown${c.reset}`;
+    if (s.stale)
+        return `${c.red}${c.bold}STALE${c.reset}`;
+    if (s.ageDays != null) {
+        const threshold = s.provider.rotationFrequencyDays * 0.8;
+        if (s.ageDays >= threshold)
+            return `${c.yellow}aging${c.reset}`;
+    }
+    return `${c.green}fresh${c.reset}`;
+}
+function ageString(days) {
+    if (days == null)
+        return '?';
+    if (days === 0)
+        return 'today';
+    if (days === 1)
+        return '1 day';
+    return `${days} days`;
+}
+function secretsAges(args) {
+    // --motd → short summary suitable for /etc/update-motd.d/
+    if (args.includes('--motd')) {
+        const summary = summariseSecrets();
+        process.stdout.write(formatSecretsMotd(summary) + '\n');
+        return;
+    }
+    const { app, opts } = parseAgesOpts(args);
+    let secrets;
+    if (app) {
+        secrets = enumerateSecrets(app).map(s => ({ app, ...s }));
+    }
+    else {
+        secrets = enumerateAllSecrets();
+    }
+    if (opts.staleOnly) {
+        secrets = secrets.filter(s => s.stale);
+    }
+    if (opts.json) {
+        // Strip the `provider` ProviderDef object (RegExp inside) for JSON-safety;
+        // expose just its id, sensitivity, frequency.
+        const out = secrets.map(s => ({
+            app: s.app,
+            name: s.name,
+            lastRotated: s.lastRotated,
+            ageDays: s.ageDays,
+            stale: s.stale,
+            provider: s.provider
+                ? {
+                    id: s.provider.id,
+                    name: s.provider.name,
+                    sensitivity: s.provider.sensitivity,
+                    rotationFrequencyDays: s.provider.rotationFrequencyDays,
+                    strategy: s.provider.strategy,
+                }
+                : null,
+        }));
+        process.stdout.write(JSON.stringify(out, null, 2) + '\n');
+        return;
+    }
+    if (secrets.length === 0) {
+        if (opts.staleOnly) {
+            success('No stale secrets — everything is within rotation frequency');
+        }
+        else if (app) {
+            warn(`No secrets in ${app}`);
+        }
+        else {
+            warn('No secrets in vault');
+        }
+        return;
+    }
+    // Sort: stale first (by sensitivity desc), then aging, then fresh.
+    const sensRank = { critical: 0, high: 1, medium: 2, low: 3 };
+    secrets.sort((a, b) => {
+        if (a.stale !== b.stale)
+            return a.stale ? -1 : 1;
+        const sa = sensRank[a.provider?.sensitivity ?? 'low'] ?? 99;
+        const sb = sensRank[b.provider?.sensitivity ?? 'low'] ?? 99;
+        if (sa !== sb)
+            return sa - sb;
+        if ((b.ageDays ?? 0) !== (a.ageDays ?? 0))
+            return (b.ageDays ?? 0) - (a.ageDays ?? 0);
+        return a.app.localeCompare(b.app) || a.name.localeCompare(b.name);
+    });
+    const title = app ? `Secret ages: ${app}` : `Secret ages (${secrets.length} secrets)`;
+    heading(title);
+    const cols = app
+        ? ['SECRET', 'AGE', 'ROTATE EVERY', 'PROVIDER', 'SENS', 'STATUS']
+        : ['APP', 'SECRET', 'AGE', 'ROTATE EVERY', 'PROVIDER', 'SENS', 'STATUS'];
+    const rows = secrets.map(s => {
+        const provider = s.provider?.name ?? `${c.dim}—${c.reset}`;
+        const freq = s.provider ? `${s.provider.rotationFrequencyDays}d` : '—';
+        const sens = s.provider?.sensitivity ?? '—';
+        const ageCol = ageString(s.ageDays);
+        const status = statusLabel(s);
+        return app
+            ? [s.name, ageCol, freq, provider, sens, status]
+            : [`${c.bold}${s.app}${c.reset}`, s.name, ageCol, freq, provider, sens, status];
+    });
+    table(cols, rows);
+    process.stdout.write('\n');
+    const staleCount = secrets.filter(s => s.stale).length;
+    if (staleCount > 0) {
+        warn(`${staleCount} secret(s) need rotation. Run: fleet secrets rotate <app>`);
+    }
+}
 function secretsValidate(args) {
     const json = args.includes('--json');
     const appName = args.find(a => !a.startsWith('-'));
@@ -252,6 +594,97 @@ function secretsDrift(args) {
         success('No drift detected');
     }
 }
+function secretsMotdInit() {
+    const motdPath = '/etc/update-motd.d/99-fleet-secrets';
+    const script = generateSecretsMotdScript();
+    try {
+        writeFileSync(motdPath, script);
+        chmodSync(motdPath, 0o755);
+        success(`Installed MOTD script: ${motdPath}`);
+        info('Will print on next shell login.');
+    }
+    catch (err) {
+        error(`Failed to install MOTD: ${err instanceof Error ? err.message : String(err)}`);
+        error('Re-run with sudo if permission denied.');
+        process.exit(1);
+    }
+}
+function secretsSnapshots(args) {
+    const json = args.includes('--json');
+    const app = args.find(a => !a.startsWith('-'));
+    if (!app) {
+        error('Usage: fleet secrets snapshots <app>');
+        process.exit(1);
+    }
+    const snaps = listSnapshots(app);
+    if (json) {
+        process.stdout.write(JSON.stringify(snaps, null, 2) + '\n');
+        return;
+    }
+    if (snaps.length === 0) {
+        info(`No snapshots for ${app}`);
+        return;
+    }
+    heading(`Snapshots for ${app} (${snaps.length})`);
+    const rows = snaps.map(s => [
+        s.timestamp,
+        `${(s.sizeBytes / 1024).toFixed(1)}K`,
+        s.path.split('/').slice(-2).join('/'),
+    ]);
+    table(['TIMESTAMP', 'SIZE', 'PATH'], rows);
+    process.stdout.write('\n');
+    info(`Restore the newest with: fleet secrets rollback ${app}`);
+    info(`Restore a specific one:  fleet secrets rollback ${app} --to <TIMESTAMP>`);
+}
+async function secretsRollback(args) {
+    const yes = args.includes('-y') || args.includes('--yes');
+    const toIdx = args.indexOf('--to');
+    const to = toIdx >= 0 ? args[toIdx + 1] : undefined;
+    // Bug fix: previous logic excluded args[toIdx + 1] always (even when toIdx
+    // was -1, i.e. no --to flag), which silently skipped args[0] and grabbed
+    // the wrong positional. Only exclude the timestamp slot if --to was given.
+    const app = args.find((a, i) => !a.startsWith('-') && (toIdx < 0 || i !== toIdx + 1));
+    if (!app) {
+        error('Usage: fleet secrets rollback <app> [--to <TIMESTAMP>]');
+        error('       (use `fleet secrets snapshots <app>` to list available)');
+        process.exit(1);
+    }
+    const snaps = listSnapshots(app);
+    if (snaps.length === 0) {
+        error(`No snapshots for ${app}`);
+        process.exit(1);
+    }
+    const target = to ? snaps.find(s => s.timestamp === to) : snaps[0];
+    if (!target) {
+        error(`Snapshot not found for ${app}: ${to}`);
+        process.exit(1);
+    }
+    warn(`About to restore ${app} from snapshot ${target.timestamp}`);
+    warn('This will OVERWRITE the current vault file.');
+    if (!yes && !await confirm('Proceed?', false)) {
+        info('Cancelled');
+        return;
+    }
+    // Snapshot the CURRENT state before overwriting (so we can roll the rollback back too).
+    const safety = snapshotApp(app);
+    info(`Pre-rollback safety snapshot: ${safety.split('/').pop()}`);
+    restoreSnapshot(app, target.timestamp);
+    auditLog({ op: 'rollback', app, ok: true, details: `to ${target.timestamp}` });
+    success(`Restored ${app} from ${target.timestamp}`);
+    info('Re-unsealing vault...');
+    unsealAll();
+    const reg = load();
+    const appEntry = findApp(reg, app);
+    if (appEntry) {
+        info(`Restarting ${app}...`);
+        if (restartService(appEntry.serviceName)) {
+            success(`${app} restarted`);
+        }
+        else {
+            warn(`Restart failed — restart manually with: fleet restart ${app}`);
+        }
+    }
+}
 function secretsRestore(args) {
     const app = args.find(a => !a.startsWith('-'));
     if (!app) {

package/dist/commands/status.js CHANGED Viewed

@@ -16,7 +16,10 @@ export function getStatusData() {
             appContainers.every(ct => ct.health === 'healthy' || ct.health === 'none');
         const allRunning = appContainers.every(ct => ct.status.startsWith('Up'));
         let health;
-        if (svc && !svc.active) {
+        if (app.frozenAt) {
+            health = 'frozen';
+        }
+        else if (svc && !svc.active) {
             // systemd says service is not active — it's down
             health = 'down';
         }
@@ -55,8 +58,9 @@ export function statusCommand(args) {
     info(`${data.totalApps} apps | ${c.green}${data.healthy} healthy${c.reset} | ${data.unhealthy > 0 ? c.red : c.dim}${data.unhealthy} unhealthy${c.reset}`);
     const rows = data.apps.map(app => {
         const healthIcon = app.health === 'healthy' ? icon.ok
-            : app.health === 'degraded' ? icon.warn
-                : icon.err;
+            : app.health === 'frozen' ? icon.info
+                : app.health === 'degraded' ? icon.warn
+                    : icon.err;
         const systemdColor = app.systemd === 'active' ? c.green : c.red;
         return [
             `${c.bold}${app.name}${c.reset}`,

package/dist/commands/watchdog.d.ts CHANGED Viewed

	@@ -1 +1 @@
1	- export declare function watchdogCommand(~~_args~~: string[]): Promise<void>;
1	+ export declare function watchdogCommand(args: string[]): Promise<void>;

package/dist/commands/watchdog.js CHANGED Viewed

@@ -1,37 +1,9 @@
-import { readFileSync, existsSync } from 'node:fs';
+import { readFileSync } from 'node:fs';
 import { load } from '../core/registry.js';
 import { checkAllHealth } from '../core/health.js';
 import { getServiceStatus } from '../core/systemd.js';
+import { loadNotifyConfig, sendNotification } from '../core/notify.js';
 import { error, success, warn } from '../ui/output.js';
-const TELEGRAM_CONFIG_PATH = '/etc/fleet/telegram.json';
-function loadTelegramConfig() {
-    if (!existsSync(TELEGRAM_CONFIG_PATH))
-        return null;
-    try {
-        return JSON.parse(readFileSync(TELEGRAM_CONFIG_PATH, 'utf-8'));
-    }
-    catch {
-        return null;
-    }
-}
-async function sendTelegram(config, message) {
-    try {
-        const url = `https://api.telegram.org/bot${config.botToken}/sendMessage`;
-        const res = await fetch(url, {
-            method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
-            body: JSON.stringify({
-                chat_id: config.chatId,
-                text: message,
-                parse_mode: 'HTML',
-            }),
-        });
-        return res.ok;
-    }
-    catch {
-        return false;
-    }
-}
 function getHostname() {
     try {
         return readFileSync('/etc/hostname', 'utf-8').trim();
@@ -40,7 +12,8 @@ function getHostname() {
         return 'unknown';
     }
 }
-export async function watchdogCommand(_args) {
+export async function watchdogCommand(args) {
+    const isMotd = args.includes('--motd');
     const failures = [];
     const hostname = getHostname();
     // check docker-databases systemd status
@@ -76,25 +49,28 @@ export async function watchdogCommand(_args) {
     for (const f of failures) {
         error(`  ${f}`);
     }
-    // send telegram alert
-    const config = loadTelegramConfig();
+    // MOTD mode: display only, no alerts, always exit 0
+    if (isMotd)
+        return;
+    // send alert via notify adapters
+    const config = loadNotifyConfig();
     if (!config) {
-        warn('No telegram config at /etc/fleet/telegram.json — alert not sent');
+        warn('No notify config at /etc/fleet/notify.json — alert not sent');
         process.exit(1);
     }
     const message = [
-        `<b>fleet watchdog alert</b>`,
-        `<b>host:</b> ${hostname}`,
-        `<b>failures:</b> ${failures.length}`,
+        `fleet watchdog alert`,
+        `host: ${hostname}`,
+        `failures: ${failures.length}`,
         '',
         ...failures.map(f => `- ${f}`),
     ].join('\n');
-    const sent = await sendTelegram(config, message);
+    const sent = await sendNotification(config, message);
     if (sent) {
-        success('Telegram alert sent');
+        success('Alert sent');
     }
     else {
-        error('Failed to send Telegram alert');
+        error('Failed to send alert');
     }
     process.exit(1);
 }