@matthesketh/fleet 1.1.0 → 1.6.0

package/dist/core/boot-refresh.d.ts

@@ -0,0 +1,57 @@
+import type { AppEntry } from './registry.js';
+export type PreflightResult = {
+    ok: true;
+    branch: string;
+} | {
+    ok: false;
+    reason: 'not-a-git-repo' | 'no-remote' | 'detached-head' | 'dirty-tree';
+};
+export declare function preflight(projectRoot: string): PreflightResult;
+export type FetchResult = {
+    ok: true;
+} | {
+    ok: false;
+    reason: 'fetch-failed';
+    detail: string;
+};
+export declare function fetchOrigin(projectRoot: string, branch: string): FetchResult;
+export type FastForwardResult = {
+    ok: true;
+    changed: boolean;
+    newHead: string;
+} | {
+    ok: false;
+    reason: 'non-ff' | 'rev-parse-failed';
+    detail: string;
+};
+export declare function fastForward(projectRoot: string, branch: string): FastForwardResult;
+export type BuildResult = {
+    ok: true;
+    built: boolean;
+} | {
+    ok: false;
+    reason: 'build-failed';
+};
+export declare function buildIfStale(app: AppEntry, currentHead: string): BuildResult;
+export declare function recordBuiltCommit(appName: string, commit: string): void;
+export declare const KILL_SWITCH = "/etc/fleet/no-auto-refresh";
+export declare const DEFAULT_WALL_CLOCK_MS = 900000;
+export type RefreshResult = {
+    kind: 'refreshed';
+    head: string;
+    built: boolean;
+} | {
+    kind: 'no-change';
+    head: string;
+} | {
+    kind: 'skipped';
+    reason: string;
+} | {
+    kind: 'failed-safe';
+    step: string;
+    detail: string;
+};
+export interface RefreshOptions {
+    wallClockMs?: number;
+}
+export declare function refresh(app: AppEntry, opts?: RefreshOptions): Promise<RefreshResult>;

package/dist/core/boot-refresh.js

@@ -0,0 +1,116 @@
+import { existsSync } from 'node:fs';
+import { isGitRepo, getGitStatus } from './git.js';
+import { execGit } from './exec.js';
+import { load, save } from './registry.js';
+import { composeBuild } from './docker.js';
+export function preflight(projectRoot) {
+    if (!isGitRepo(projectRoot))
+        return { ok: false, reason: 'not-a-git-repo' };
+    const s = getGitStatus(projectRoot);
+    if (!s.remoteName)
+        return { ok: false, reason: 'no-remote' };
+    if (!s.branch || s.branch === 'HEAD')
+        return { ok: false, reason: 'detached-head' };
+    if (!s.clean)
+        return { ok: false, reason: 'dirty-tree' };
+    return { ok: true, branch: s.branch };
+}
+export function fetchOrigin(projectRoot, branch) {
+    const r = execGit(['fetch', 'origin', branch], { cwd: projectRoot, timeout: 60_000 });
+    if (!r.ok)
+        return { ok: false, reason: 'fetch-failed', detail: r.stderr || `exit ${r.exitCode}` };
+    return { ok: true };
+}
+function revParse(projectRoot, ref) {
+    const r = execGit(['rev-parse', ref], { cwd: projectRoot, timeout: 10_000 });
+    return r.ok ? r.stdout.trim() : null;
+}
+export function fastForward(projectRoot, branch) {
+    const local = revParse(projectRoot, 'HEAD');
+    if (!local) {
+        return { ok: false, reason: 'rev-parse-failed', detail: 'rev-parse HEAD or origin/branch failed' };
+    }
+    const remote = revParse(projectRoot, `origin/${branch}`);
+    if (!remote) {
+        return { ok: false, reason: 'rev-parse-failed', detail: 'rev-parse HEAD or origin/branch failed' };
+    }
+    if (local === remote)
+        return { ok: true, changed: false, newHead: local };
+    const merge = execGit(['merge', '--ff-only', `origin/${branch}`], { cwd: projectRoot, timeout: 30_000 });
+    if (!merge.ok) {
+        execGit(['merge', '--abort'], { cwd: projectRoot, timeout: 10_000 });
+        return { ok: false, reason: 'non-ff', detail: merge.stderr || `exit ${merge.exitCode}` };
+    }
+    const newHead = revParse(projectRoot, 'HEAD');
+    return { ok: true, changed: true, newHead: newHead ?? remote };
+}
+export function buildIfStale(app, currentHead) {
+    if (app.lastBuiltCommit && app.lastBuiltCommit === currentHead) {
+        return { ok: true, built: false };
+    }
+    const ok = composeBuild(app.composePath, app.composeFile, app.name);
+    if (!ok)
+        return { ok: false, reason: 'build-failed' };
+    return { ok: true, built: true };
+}
+export function recordBuiltCommit(appName, commit) {
+    const reg = load();
+    const i = reg.apps.findIndex(a => a.name === appName);
+    if (i < 0)
+        return;
+    reg.apps[i] = { ...reg.apps[i], lastBuiltCommit: commit };
+    save(reg);
+}
+export const KILL_SWITCH = '/etc/fleet/no-auto-refresh';
+function killSwitchPath() {
+    return process.env.FLEET_KILL_SWITCH ?? KILL_SWITCH;
+}
+export const DEFAULT_WALL_CLOCK_MS = 900_000;
+async function doRefresh(app) {
+    const pre = preflight(app.composePath);
+    if (!pre.ok)
+        return { kind: 'skipped', reason: pre.reason };
+    const fetched = fetchOrigin(app.composePath, pre.branch);
+    if (!fetched.ok)
+        return { kind: 'failed-safe', step: 'fetch', detail: fetched.detail };
+    const ff = fastForward(app.composePath, pre.branch);
+    if (!ff.ok)
+        return { kind: 'failed-safe', step: 'merge', detail: ff.detail };
+    const build = buildIfStale(app, ff.newHead);
+    if (!build.ok)
+        return { kind: 'failed-safe', step: 'build', detail: build.reason };
+    if (build.built)
+        recordBuiltCommit(app.name, ff.newHead);
+    if (!ff.changed && !build.built)
+        return { kind: 'no-change', head: ff.newHead };
+    return { kind: 'refreshed', head: ff.newHead, built: build.built };
+}
+function isKillSwitchActive() {
+    try {
+        return existsSync(killSwitchPath());
+    }
+    catch {
+        return false; // permission error or similar — assume no kill switch, let refresh proceed
+    }
+}
+export async function refresh(app, opts = {}) {
+    if (isKillSwitchActive())
+        return { kind: 'skipped', reason: 'kill-switch' };
+    const cap = opts.wallClockMs ?? DEFAULT_WALL_CLOCK_MS;
+    let timer;
+    try {
+        return await Promise.race([
+            doRefresh(app),
+            new Promise((resolve) => {
+                timer = setTimeout(() => resolve({ kind: 'failed-safe', step: 'wall-clock', detail: `exceeded ${cap}ms` }), cap);
+            }),
+        ]);
+    }
+    catch (err) {
+        return { kind: 'failed-safe', step: 'exception', detail: err instanceof Error ? err.message : String(err) };
+    }
+    finally {
+        if (timer)
+            clearTimeout(timer);
+    }
+}

package/dist/core/deps/actors/pr-creator.js

@@ -1,6 +1,6 @@
 import { readFileSync, writeFileSync, existsSync } from 'node:fs';
 import { join } from 'node:path';
-import { exec } from '../../exec.js';
+import { execSafe } from '../../exec.js';
 export function generateVersionBump(finding) {
     if (!finding.fixable || !finding.package || !finding.currentVersion || !finding.latestVersion) {
         return null;
@@ -74,10 +74,10 @@ export function createDepsPr(app, findings, dryRun) {
     if (dryRun) {
         return { branch, bumps };
     }
-    const sshEnv = { SSH_AUTH_SOCK: '/tmp/fleet-ssh-agent.sock' };
-    exec('git checkout develop', { cwd: app.composePath });
-    exec('git pull', { cwd: app.composePath, env: sshEnv });
-    exec(`git checkout -b ${branch}`, { cwd: app.composePath });
+    const sshEnv = process.env.SSH_AUTH_SOCK ? { SSH_AUTH_SOCK: process.env.SSH_AUTH_SOCK } : {};
+    execSafe('git', ['checkout', 'develop'], { cwd: app.composePath });
+    execSafe('git', ['pull'], { cwd: app.composePath, env: sshEnv });
+    execSafe('git', ['checkout', '-b', branch], { cwd: app.composePath });
     for (const bump of bumps) {
         const filePath = join(app.composePath, bump.file);
         if (!existsSync(filePath))
@@ -87,17 +87,19 @@ export function createDepsPr(app, findings, dryRun) {
         writeFileSync(filePath, content);
     }
     const files = [...new Set(bumps.map(b => b.file))];
-    exec(`git add ${files.join(' ')}`, { cwd: app.composePath });
+    execSafe('git', ['add', ...files], { cwd: app.composePath });
     const commitMsg = bumps.length === 1
         ? `chore(deps): update ${fixable[0].package} from ${fixable[0].currentVersion} to ${fixable[0].latestVersion}`
         : `chore(deps): update ${bumps.length} dependencies`;
-    exec(`git commit -m "${commitMsg}"`, { cwd: app.composePath });
-    exec(`git push -u origin ${branch}`, { cwd: app.composePath, env: sshEnv });
+    execSafe('git', ['commit', '-m', commitMsg], { cwd: app.composePath });
+    execSafe('git', ['push', '-u', 'origin', branch], { cwd: app.composePath, env: sshEnv });
     if (!app.gitRepo)
         return { branch, bumps };
     const prBody = buildPrBody(fixable);
     const prTitle = `chore(deps): update dependencies (${date})`;
-    const prResult = exec(`gh pr create --repo ${app.gitRepo} --title "${prTitle}" --body "${prBody.replace(/"/g, '\\"')}" --base develop`, { cwd: app.composePath, env: sshEnv });
+    const prResult = execSafe('gh', [
+        'pr', 'create', '--repo', app.gitRepo, '--title', prTitle, '--body', prBody, '--base', 'develop',
+    ], { cwd: app.composePath, env: sshEnv });
     const prUrl = prResult.ok ? prResult.stdout.trim() : undefined;
     return { branch, bumps, prUrl };
 }

package/dist/core/deps/collectors/docker-running.js

@@ -1,4 +1,4 @@
-import { exec } from '../../exec.js';
+import { execSafe } from '../../exec.js';
 export class DockerRunningCollector {
     _overrides;
     type = 'docker-running';
@@ -11,7 +11,7 @@ export class DockerRunningCollector {
     async collect(app) {
         const findings = [];
         for (const container of app.containers) {
-            const result = exec(`docker inspect ${container}`, { timeout: 10_000 });
+            const result = execSafe('docker', ['inspect', container], { timeout: 10_000 });
             if (!result.ok)
                 continue;
             const info = this.parseInspectOutput(result.stdout);

package/dist/core/deps/collectors/github-pr.js

@@ -1,4 +1,4 @@
-import { exec } from '../../exec.js';
+import { execSafe } from '../../exec.js';
 export class GitHubPrCollector {
     type = 'github-pr';
     detect(_appPath, app) {
@@ -7,7 +7,10 @@ export class GitHubPrCollector {
     async collect(app) {
         if (!app.gitRepo)
             return [];
-        const result = exec(`gh pr list --repo ${app.gitRepo} --state open --json number,title,url,labels --limit 50`, { timeout: 15_000 });
+        const result = execSafe('gh', [
+            'pr', 'list', '--repo', app.gitRepo, '--state', 'open',
+            '--json', 'number,title,url,labels', '--limit', '50',
+        ], { timeout: 15_000 });
         if (!result.ok)
             return [];
         try {

package/dist/core/deps/collectors/npm.js

@@ -21,16 +21,21 @@ export class NpmCollector {
             ...pkg.devDependencies,
         };
         const findings = [];
-        const results = await Promise.allSettled(Object.entries(allDeps).map(([name, version]) => this.checkPackage(app.name, name, version)));
-        for (const result of results) {
-            if (result.status === 'fulfilled' && result.value) {
-                findings.push(result.value);
+        const entries = Object.entries(allDeps);
+        const BATCH_SIZE = 10;
+        for (let i = 0; i < entries.length; i += BATCH_SIZE) {
+            const batch = entries.slice(i, i + BATCH_SIZE);
+            const results = await Promise.allSettled(batch.map(([name, version]) => this.checkPackage(app.name, name, version)));
+            for (const result of results) {
+                if (result.status === 'fulfilled' && result.value) {
+                    findings.push(result.value);
+                }
             }
         }
         return findings;
     }
     async checkPackage(appName, name, currentRaw) {
-        const current = currentRaw.replace(/^[\^~>=<]/, '');
+        const current = currentRaw.replace(/^[^\d]*/, '');
         try {
             const res = await fetch(`https://registry.npmjs.org/${encodeURIComponent(name)}/latest`);
             if (!res.ok)

package/dist/core/deps/collectors/vulnerability.js

@@ -13,10 +13,14 @@ export class VulnerabilityCollector {
         if (packages.length === 0)
             return [];
         const findings = [];
-        const results = await Promise.allSettled(packages.map(pkg => this.queryOsv(app.name, pkg)));
-        for (const result of results) {
-            if (result.status === 'fulfilled') {
-                findings.push(...result.value);
+        const BATCH_SIZE = 10;
+        for (let i = 0; i < packages.length; i += BATCH_SIZE) {
+            const batch = packages.slice(i, i + BATCH_SIZE);
+            const results = await Promise.allSettled(batch.map(pkg => this.queryOsv(app.name, pkg)));
+            for (const result of results) {
+                if (result.status === 'fulfilled') {
+                    findings.push(...result.value);
+                }
             }
         }
         return findings;
@@ -28,7 +32,7 @@ export class VulnerabilityCollector {
             try {
                 const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
                 for (const [name, versionRaw] of Object.entries(pkg.dependencies ?? {})) {
-                    const version = versionRaw.replace(/^[\^~>=<]/, '');
+                    const version = versionRaw.replace(/^[^\d]*/, '');
                     packages.push({ name, version, ecosystem: 'npm' });
                 }
             }
@@ -41,7 +45,7 @@ export class VulnerabilityCollector {
                 for (const [name, versionRaw] of Object.entries(composer.require ?? {})) {
                     if (name.startsWith('php') || name.startsWith('ext-'))
                         continue;
-                    const version = versionRaw.replace(/^[\^~>=<*]/, '');
+                    const version = versionRaw.replace(/^[^\d]*/, '');
                     packages.push({ name, version, ecosystem: 'Packagist' });
                 }
             }

package/dist/core/deps/reporters/motd.js

@@ -51,7 +51,7 @@ fi
 `;
 }
 function formatAge(isoDate) {
-    const ms = Date.now() - new Date(isoDate).getTime();
+    const ms = Math.max(0, Date.now() - new Date(isoDate).getTime());
     const mins = Math.floor(ms / 60_000);
     if (mins < 1)
         return 'just now';

package/dist/core/deps/reporters/telegram.js

@@ -1,9 +1,9 @@
 import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'node:fs';
 import { dirname, join } from 'node:path';
 import { fileURLToPath } from 'node:url';
+import { loadTelegramConfig, sendTelegram } from '../../telegram.js';
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const NOTIFIED_PATH = join(__dirname, '..', '..', '..', '..', 'data', 'notified-findings.json');
-const TELEGRAM_CONFIG_PATH = '/etc/fleet/telegram.json';
 export function formatTelegramMessage(findings, appCount) {
     if (findings.length === 0)
         return '';
@@ -56,21 +56,7 @@ export async function sendTelegramNotification(findings, appCount, previousFindi
     const message = formatTelegramMessage(filtered, appCount);
     if (!message)
         return false;
-    try {
-        const res = await fetch(`https://api.telegram.org/bot${config.botToken}/sendMessage`, {
-            method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
-            body: JSON.stringify({
-                chat_id: config.chatId,
-                text: message,
-                parse_mode: 'HTML',
-            }),
-        });
-        return res.ok;
-    }
-    catch {
-        return false;
-    }
+    return sendTelegram(config, message);
 }
 export function loadNotifiedFindings() {
     if (!existsSync(NOTIFIED_PATH))
@@ -88,19 +74,6 @@ export function saveNotifiedFindings(findings) {
         mkdirSync(dir, { recursive: true });
     writeFileSync(NOTIFIED_PATH, JSON.stringify(findings, null, 2) + '\n');
 }
-function loadTelegramConfig() {
-    if (!existsSync(TELEGRAM_CONFIG_PATH))
-        return null;
-    try {
-        const raw = JSON.parse(readFileSync(TELEGRAM_CONFIG_PATH, 'utf-8'));
-        if (!raw.botToken || !raw.chatId)
-            return null;
-        return { botToken: raw.botToken, chatId: String(raw.chatId) };
-    }
-    catch {
-        return null;
-    }
-}
 function escapeHtml(text) {
     return text.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
 }

package/dist/core/docker.js

@@ -1,5 +1,5 @@
 import { readFileSync, existsSync } from 'node:fs';
-import { exec } from './exec.js';
+import { execSafe } from './exec.js';
 const SECRETS_BASE = '/run/fleet-secrets';
 function loadEnvFile(path) {
     if (!existsSync(path))
@@ -23,7 +23,9 @@ function loadEnvFile(path) {
     return vars;
 }
 export function listContainers() {
-    const result = exec('docker ps --format "{{.Names}}\\t{{.Status}}\\t{{.Ports}}\\t{{.Image}}"', { timeout: 10_000 });
+    const result = execSafe('docker', [
+        'ps', '--format', '{{.Names}}\t{{.Status}}\t{{.Ports}}\t{{.Image}}',
+    ], { timeout: 10_000 });
     if (!result.ok || !result.stdout)
         return [];
     return result.stdout.split('\n').map(line => {
@@ -37,36 +39,64 @@ export function listContainers() {
     });
 }
 export function getContainersByCompose(composePath, composeFile) {
-    const fileFlag = composeFile ? `-f ${composeFile}` : '';
-    const result = exec(`docker compose ${fileFlag} ps --format "{{.Names}}"`, { cwd: composePath, timeout: 10_000 });
+    const args = ['compose', ...(composeFile ? ['-f', composeFile] : []), 'ps', '--format', '{{.Names}}'];
+    const result = execSafe('docker', args, { cwd: composePath, timeout: 10_000 });
     if (!result.ok || !result.stdout)
         return [];
     return result.stdout.split('\n').filter(Boolean);
 }
 export function getContainerLogs(container, lines = 100) {
-    const result = exec(`docker logs --tail ${lines} ${container} 2>&1`, { timeout: 15_000 });
-    return result.ok ? result.stdout : result.stderr || 'No logs available';
+    const result = execSafe('docker', ['logs', '--tail', String(lines), container], { timeout: 15_000 });
+    return result.ok ? (result.stdout || result.stderr) : result.stderr || 'No logs available';
+}
+function resolveImageName(composePath, composeFile) {
+    const args = ['compose', ...(composeFile ? ['-f', composeFile] : []), 'config', '--images'];
+    const r = execSafe('docker', args, { cwd: composePath, timeout: 15_000 });
+    if (!r.ok)
+        return null;
+    const first = r.stdout.split('\n').filter(Boolean)[0];
+    return first ?? null;
+}
+function imageExists(image) {
+    return execSafe('docker', ['image', 'inspect', image], { timeout: 10_000 }).ok;
 }
 export function composeBuild(composePath, composeFile, appName) {
-    const fileFlag = composeFile ? `-f ${composeFile}` : '';
+    const image = resolveImageName(composePath, composeFile);
+    if (image && imageExists(image)) {
+        const lastColon = image.lastIndexOf(':');
+        const base = lastColon > 0 ? image.slice(0, lastColon) : image;
+        const previous = `${base}:fleet-previous`;
+        execSafe('docker', ['tag', image, previous], { timeout: 10_000 });
+        // intentional: retag failure does not block build
+    }
+    const args = ['compose', ...(composeFile ? ['-f', composeFile] : []), 'build'];
     const env = appName ? loadEnvFile(`${SECRETS_BASE}/${appName}/.env`) : {};
-    const result = exec(`docker compose ${fileFlag} build`, { cwd: composePath, timeout: 300_000, env: Object.keys(env).length > 0 ? env : undefined });
+    const result = execSafe('docker', args, {
+        cwd: composePath,
+        timeout: 300_000,
+        env: Object.keys(env).length > 0 ? env : undefined,
+    });
     return result.ok;
 }
 export function composeUp(composePath, composeFile) {
-    const fileFlag = composeFile ? `-f ${composeFile}` : '';
-    const result = exec(`docker compose ${fileFlag} up -d --force-recreate`, { cwd: composePath, timeout: 120_000 });
+    const args = ['compose', ...(composeFile ? ['-f', composeFile] : []), 'up', '-d', '--force-recreate'];
+    const result = execSafe('docker', args, { cwd: composePath, timeout: 120_000 });
     return result.ok;
 }
 export function composeDown(composePath, composeFile) {
-    const fileFlag = composeFile ? `-f ${composeFile}` : '';
-    const result = exec(`docker compose ${fileFlag} down`, { cwd: composePath, timeout: 60_000 });
+    const args = ['compose', ...(composeFile ? ['-f', composeFile] : []), 'down'];
+    const result = execSafe('docker', args, { cwd: composePath, timeout: 60_000 });
     return result.ok;
 }
 export function inspectContainer(name) {
-    const result = exec(`docker inspect ${name}`, { timeout: 10_000 });
+    const result = execSafe('docker', ['inspect', name], { timeout: 10_000 });
     if (!result.ok)
         return null;
-    const parsed = JSON.parse(result.stdout);
-    return Array.isArray(parsed) ? parsed[0] : parsed;
+    try {
+        const parsed = JSON.parse(result.stdout);
+        return Array.isArray(parsed) ? parsed[0] : parsed;
+    }
+    catch {
+        return null;
+    }
 }

package/dist/core/egress.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Egress observation: see where each app's containers are talking to.
+ *
+ * v1 = snapshot mode. Reads conntrack via `ss -tn` filtered by container IPs,
+ * resolves remote IPs to hostnames best-effort, returns the deduplicated set.
+ *
+ * v2 (Phase E) = continuous shadow daemon (eBPF-based or nftables LOG target),
+ * with persistent observed-set storage and a real `enforce` mode that drops
+ * packets to non-allowlisted destinations. Design intentionally matches v1's
+ * data shape so the upgrade is non-breaking.
+ */
+import type { AppEntry } from './registry.js';
+export interface EgressFlow {
+    /** App that owns the source container. */
+    app: string;
+    /** Container name. */
+    container: string;
+    /** Remote endpoint as host:port. Hostname resolved when possible. */
+    remote: string;
+    remoteIp: string;
+    remotePort: number;
+    /** True if remote matches the app's egress.allow list. */
+    allowed: boolean;
+}
+export interface EgressSnapshot {
+    takenAt: string;
+    app: string;
+    flows: EgressFlow[];
+    /** Distinct (host:port) destinations observed. Useful for seeding allow lists. */
+    uniqueRemotes: string[];
+    /** uniqueRemotes that aren't on the app's allow list. */
+    violations: string[];
+}
+/**
+ * Read all current outbound TCP/UDP flows from the host using `ss -tnp`,
+ * filter to those whose SOURCE matches one of the app's container IPs.
+ * Connections to private addresses are kept (they may indicate intra-host
+ * leaks) but flagged differently.
+ */
+export declare function snapshotEgress(app: AppEntry): EgressSnapshot;
+export declare function addEgressAllow(app: AppEntry, host: string): string[];