@matthesketh/fleet 1.2.0 → 1.7.0

package/dist/core/routines/store.d.ts

@@ -0,0 +1,316 @@
+import { z } from 'zod';
+import { type Routine } from './schema.js';
+declare const FileSchema: z.ZodObject<{
+    version: z.ZodLiteral<1>;
+    routines: z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        name: z.ZodString;
+        description: z.ZodDefault<z.ZodString>;
+        schedule: z.ZodUnion<[z.ZodObject<{
+            kind: z.ZodLiteral<"manual">;
+        }, "strip", z.ZodTypeAny, {
+            kind: "manual";
+        }, {
+            kind: "manual";
+        }>, z.ZodObject<{
+            kind: z.ZodLiteral<"calendar">;
+            onCalendar: z.ZodString;
+            randomizedDelaySec: z.ZodDefault<z.ZodNumber>;
+            persistent: z.ZodDefault<z.ZodBoolean>;
+        }, "strip", z.ZodTypeAny, {
+            kind: "calendar";
+            onCalendar: string;
+            randomizedDelaySec: number;
+            persistent: boolean;
+        }, {
+            kind: "calendar";
+            onCalendar: string;
+            randomizedDelaySec?: number | undefined;
+            persistent?: boolean | undefined;
+        }>]>;
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        targets: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+        perTarget: z.ZodDefault<z.ZodBoolean>;
+        task: z.ZodDiscriminatedUnion<"kind", [z.ZodObject<{
+            kind: z.ZodLiteral<"claude-cli">;
+            prompt: z.ZodString;
+            outputFormat: z.ZodDefault<z.ZodLiteral<"json">>;
+            tokenCap: z.ZodDefault<z.ZodNumber>;
+            wallClockMs: z.ZodDefault<z.ZodNumber>;
+            maxUsd: z.ZodDefault<z.ZodNumber>;
+            model: z.ZodOptional<z.ZodString>;
+            appendSystem: z.ZodOptional<z.ZodString>;
+            allowedTools: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        }, "strip", z.ZodTypeAny, {
+            kind: "claude-cli";
+            prompt: string;
+            outputFormat: "json";
+            tokenCap: number;
+            wallClockMs: number;
+            maxUsd: number;
+            model?: string | undefined;
+            appendSystem?: string | undefined;
+            allowedTools?: string[] | undefined;
+        }, {
+            kind: "claude-cli";
+            prompt: string;
+            outputFormat?: "json" | undefined;
+            tokenCap?: number | undefined;
+            wallClockMs?: number | undefined;
+            maxUsd?: number | undefined;
+            model?: string | undefined;
+            appendSystem?: string | undefined;
+            allowedTools?: string[] | undefined;
+        }>, z.ZodObject<{
+            kind: z.ZodLiteral<"shell">;
+            argv: z.ZodArray<z.ZodString, "many">;
+            env: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+            wallClockMs: z.ZodDefault<z.ZodNumber>;
+        }, "strip", z.ZodTypeAny, {
+            kind: "shell";
+            wallClockMs: number;
+            argv: string[];
+            env?: Record<string, string> | undefined;
+        }, {
+            kind: "shell";
+            argv: string[];
+            env?: Record<string, string> | undefined;
+            wallClockMs?: number | undefined;
+        }>, z.ZodObject<{
+            kind: z.ZodLiteral<"mcp-call">;
+            tool: z.ZodString;
+            args: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+            wallClockMs: z.ZodDefault<z.ZodNumber>;
+        }, "strip", z.ZodTypeAny, {
+            kind: "mcp-call";
+            wallClockMs: number;
+            tool: string;
+            args: Record<string, unknown>;
+        }, {
+            kind: "mcp-call";
+            tool: string;
+            wallClockMs?: number | undefined;
+            args?: Record<string, unknown> | undefined;
+        }>]>;
+        notify: z.ZodDefault<z.ZodArray<z.ZodObject<{
+            kind: z.ZodEnum<["stdout", "webhook", "slack", "email"]>;
+            on: z.ZodDefault<z.ZodEnum<["always", "failure", "success"]>>;
+            config: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        }, "strip", z.ZodTypeAny, {
+            config: Record<string, unknown>;
+            kind: "email" | "stdout" | "webhook" | "slack";
+            on: "always" | "failure" | "success";
+        }, {
+            kind: "email" | "stdout" | "webhook" | "slack";
+            config?: Record<string, unknown> | undefined;
+            on?: "always" | "failure" | "success" | undefined;
+        }>, "many">>;
+        tags: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+        createdAt: z.ZodOptional<z.ZodString>;
+        updatedAt: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        enabled: boolean;
+        name: string;
+        id: string;
+        notify: {
+            config: Record<string, unknown>;
+            kind: "email" | "stdout" | "webhook" | "slack";
+            on: "always" | "failure" | "success";
+        }[];
+        description: string;
+        schedule: {
+            kind: "manual";
+        } | {
+            kind: "calendar";
+            onCalendar: string;
+            randomizedDelaySec: number;
+            persistent: boolean;
+        };
+        targets: string[];
+        perTarget: boolean;
+        task: {
+            kind: "claude-cli";
+            prompt: string;
+            outputFormat: "json";
+            tokenCap: number;
+            wallClockMs: number;
+            maxUsd: number;
+            model?: string | undefined;
+            appendSystem?: string | undefined;
+            allowedTools?: string[] | undefined;
+        } | {
+            kind: "shell";
+            wallClockMs: number;
+            argv: string[];
+            env?: Record<string, string> | undefined;
+        } | {
+            kind: "mcp-call";
+            wallClockMs: number;
+            tool: string;
+            args: Record<string, unknown>;
+        };
+        tags: string[];
+        updatedAt?: string | undefined;
+        createdAt?: string | undefined;
+    }, {
+        name: string;
+        id: string;
+        schedule: {
+            kind: "manual";
+        } | {
+            kind: "calendar";
+            onCalendar: string;
+            randomizedDelaySec?: number | undefined;
+            persistent?: boolean | undefined;
+        };
+        task: {
+            kind: "claude-cli";
+            prompt: string;
+            outputFormat?: "json" | undefined;
+            tokenCap?: number | undefined;
+            wallClockMs?: number | undefined;
+            maxUsd?: number | undefined;
+            model?: string | undefined;
+            appendSystem?: string | undefined;
+            allowedTools?: string[] | undefined;
+        } | {
+            kind: "shell";
+            argv: string[];
+            env?: Record<string, string> | undefined;
+            wallClockMs?: number | undefined;
+        } | {
+            kind: "mcp-call";
+            tool: string;
+            wallClockMs?: number | undefined;
+            args?: Record<string, unknown> | undefined;
+        };
+        enabled?: boolean | undefined;
+        updatedAt?: string | undefined;
+        notify?: {
+            kind: "email" | "stdout" | "webhook" | "slack";
+            config?: Record<string, unknown> | undefined;
+            on?: "always" | "failure" | "success" | undefined;
+        }[] | undefined;
+        description?: string | undefined;
+        targets?: string[] | undefined;
+        perTarget?: boolean | undefined;
+        tags?: string[] | undefined;
+        createdAt?: string | undefined;
+    }>, "many">;
+    defaultsSeededAt: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    version: 1;
+    routines: {
+        enabled: boolean;
+        name: string;
+        id: string;
+        notify: {
+            config: Record<string, unknown>;
+            kind: "email" | "stdout" | "webhook" | "slack";
+            on: "always" | "failure" | "success";
+        }[];
+        description: string;
+        schedule: {
+            kind: "manual";
+        } | {
+            kind: "calendar";
+            onCalendar: string;
+            randomizedDelaySec: number;
+            persistent: boolean;
+        };
+        targets: string[];
+        perTarget: boolean;
+        task: {
+            kind: "claude-cli";
+            prompt: string;
+            outputFormat: "json";
+            tokenCap: number;
+            wallClockMs: number;
+            maxUsd: number;
+            model?: string | undefined;
+            appendSystem?: string | undefined;
+            allowedTools?: string[] | undefined;
+        } | {
+            kind: "shell";
+            wallClockMs: number;
+            argv: string[];
+            env?: Record<string, string> | undefined;
+        } | {
+            kind: "mcp-call";
+            wallClockMs: number;
+            tool: string;
+            args: Record<string, unknown>;
+        };
+        tags: string[];
+        updatedAt?: string | undefined;
+        createdAt?: string | undefined;
+    }[];
+    defaultsSeededAt?: string | undefined;
+}, {
+    version: 1;
+    routines: {
+        name: string;
+        id: string;
+        schedule: {
+            kind: "manual";
+        } | {
+            kind: "calendar";
+            onCalendar: string;
+            randomizedDelaySec?: number | undefined;
+            persistent?: boolean | undefined;
+        };
+        task: {
+            kind: "claude-cli";
+            prompt: string;
+            outputFormat?: "json" | undefined;
+            tokenCap?: number | undefined;
+            wallClockMs?: number | undefined;
+            maxUsd?: number | undefined;
+            model?: string | undefined;
+            appendSystem?: string | undefined;
+            allowedTools?: string[] | undefined;
+        } | {
+            kind: "shell";
+            argv: string[];
+            env?: Record<string, string> | undefined;
+            wallClockMs?: number | undefined;
+        } | {
+            kind: "mcp-call";
+            tool: string;
+            wallClockMs?: number | undefined;
+            args?: Record<string, unknown> | undefined;
+        };
+        enabled?: boolean | undefined;
+        updatedAt?: string | undefined;
+        notify?: {
+            kind: "email" | "stdout" | "webhook" | "slack";
+            config?: Record<string, unknown> | undefined;
+            on?: "always" | "failure" | "success" | undefined;
+        }[] | undefined;
+        description?: string | undefined;
+        targets?: string[] | undefined;
+        perTarget?: boolean | undefined;
+        tags?: string[] | undefined;
+        createdAt?: string | undefined;
+    }[];
+    defaultsSeededAt?: string | undefined;
+}>;
+export type RoutineStoreFile = z.infer<typeof FileSchema>;
+export declare class RoutineStore {
+    private readonly path;
+    private file;
+    constructor(path?: string);
+    private readFromDisk;
+    private writeAtomic;
+    list(): Routine[];
+    get(id: string): Routine | null;
+    upsert(routine: Routine): Routine;
+    remove(id: string): boolean;
+    seedDefaults(routines: Routine[]): {
+        seeded: number;
+        skipped: number;
+    };
+    reload(): void;
+    storePath(): string;
+}
+export {};

package/dist/core/routines/store.js

@@ -0,0 +1,99 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync, renameSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { z } from 'zod';
+import { RoutineSchema } from './schema.js';
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const DEFAULT_STORE_PATH = join(__dirname, '..', '..', '..', 'data', 'routines.json');
+const FileSchema = z.object({
+    version: z.literal(1),
+    routines: z.array(RoutineSchema),
+    defaultsSeededAt: z.string().datetime().optional(),
+});
+function defaultFile() {
+    return { version: 1, routines: [] };
+}
+function ensureDirFor(path) {
+    const dir = dirname(path);
+    if (!existsSync(dir))
+        mkdirSync(dir, { recursive: true });
+}
+export class RoutineStore {
+    path;
+    file;
+    constructor(path = DEFAULT_STORE_PATH) {
+        this.path = path;
+        this.file = this.readFromDisk();
+    }
+    readFromDisk() {
+        if (!existsSync(this.path))
+            return defaultFile();
+        const raw = readFileSync(this.path, 'utf-8');
+        try {
+            return FileSchema.parse(JSON.parse(raw));
+        }
+        catch (err) {
+            process.stderr.write(`[routines] Warning: failed to parse ${this.path}: ${String(err)}\n`);
+            return defaultFile();
+        }
+    }
+    writeAtomic() {
+        ensureDirFor(this.path);
+        const tmp = `${this.path}.tmp.${process.pid}`;
+        writeFileSync(tmp, JSON.stringify(this.file, null, 2) + '\n', { mode: 0o600 });
+        renameSync(tmp, this.path);
+    }
+    list() {
+        return [...this.file.routines];
+    }
+    get(id) {
+        return this.file.routines.find(r => r.id === id) ?? null;
+    }
+    upsert(routine) {
+        const validated = RoutineSchema.parse(routine);
+        const now = new Date().toISOString();
+        const idx = this.file.routines.findIndex(r => r.id === validated.id);
+        const existing = idx >= 0 ? this.file.routines[idx] : null;
+        const prepared = {
+            ...validated,
+            createdAt: existing?.createdAt ?? validated.createdAt ?? now,
+            updatedAt: now,
+        };
+        if (idx >= 0) {
+            this.file.routines[idx] = prepared;
+        }
+        else {
+            this.file.routines.push(prepared);
+        }
+        this.writeAtomic();
+        return prepared;
+    }
+    remove(id) {
+        const before = this.file.routines.length;
+        this.file.routines = this.file.routines.filter(r => r.id !== id);
+        const removed = this.file.routines.length !== before;
+        if (removed)
+            this.writeAtomic();
+        return removed;
+    }
+    seedDefaults(routines) {
+        if (this.file.defaultsSeededAt)
+            return { seeded: 0, skipped: routines.length };
+        let seeded = 0;
+        for (const r of routines) {
+            if (!this.file.routines.some(existing => existing.id === r.id)) {
+                this.file.routines.push(RoutineSchema.parse(r));
+                seeded++;
+            }
+        }
+        this.file.defaultsSeededAt = new Date().toISOString();
+        this.writeAtomic();
+        return { seeded, skipped: routines.length - seeded };
+    }
+    reload() {
+        this.file = this.readFromDisk();
+    }
+    storePath() {
+        return this.path;
+    }
+}

package/dist/core/routines/test-utils.d.ts

@@ -0,0 +1,2 @@
+export declare function mkExecTmpDir(prefix: string): string;
+export declare function rmExecTmpDir(dir: string): void;

package/dist/core/routines/test-utils.js

@@ -0,0 +1,13 @@
+import { existsSync, mkdirSync, mkdtempSync, rmSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const EXEC_TMP_ROOT = join(__dirname, '..', '..', '..', '.test-tmp');
+export function mkExecTmpDir(prefix) {
+    if (!existsSync(EXEC_TMP_ROOT))
+        mkdirSync(EXEC_TMP_ROOT, { recursive: true });
+    return mkdtempSync(join(EXEC_TMP_ROOT, prefix));
+}
+export function rmExecTmpDir(dir) {
+    rmSync(dir, { recursive: true, force: true });
+}

package/dist/core/secrets-audit.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Append-only audit log of every sensitive secret operation.
+ *
+ * Stored at ~/.local/share/fleet/audit.jsonl with mode 0600. Each line is a
+ * JSON object — never the secret VALUE, only its name. Flushed synchronously
+ * so a crash mid-rotation still leaves a trail.
+ */
+export type AuditOp = 'init' | 'seal' | 'unseal' | 'set' | 'get' | 'rotate' | 'rotate-attempted' | 'rotate-failed' | 'rollback' | 'snapshot' | 'harden' | 'export' | 'import';
+export interface AuditEntry {
+    ts: string;
+    op: AuditOp;
+    actor: string;
+    app?: string;
+    secret?: string;
+    ok: boolean;
+    details?: string;
+}
+export declare function auditLog(entry: Omit<AuditEntry, 'ts' | 'actor'> & {
+    actor?: string;
+}): void;
+export declare function getAuditPath(): string;

package/dist/core/secrets-audit.js

@@ -0,0 +1,60 @@
+/**
+ * Append-only audit log of every sensitive secret operation.
+ *
+ * Stored at ~/.local/share/fleet/audit.jsonl with mode 0600. Each line is a
+ * JSON object — never the secret VALUE, only its name. Flushed synchronously
+ * so a crash mid-rotation still leaves a trail.
+ */
+import { existsSync, mkdirSync, appendFileSync, chmodSync, statSync, openSync, closeSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+const AUDIT_DIR = join(homedir(), '.local', 'share', 'fleet');
+const AUDIT_PATH = join(AUDIT_DIR, 'audit.jsonl');
+function getActor() {
+    return process.env.SUDO_USER || process.env.USER || process.env.LOGNAME || 'unknown';
+}
+function ensureLog() {
+    if (!existsSync(AUDIT_DIR)) {
+        mkdirSync(AUDIT_DIR, { recursive: true, mode: 0o700 });
+    }
+    if (!existsSync(AUDIT_PATH)) {
+        // Atomic create with the desired mode in a single syscall — closes the
+        // TOCTOU window where the file briefly existed at the umask default
+        // (typically 0o644) before the chmod.
+        const fd = openSync(AUDIT_PATH, 'a', 0o600);
+        closeSync(fd);
+        return;
+    }
+    try {
+        const mode = statSync(AUDIT_PATH).mode & 0o777;
+        if (mode !== 0o600)
+            chmodSync(AUDIT_PATH, 0o600);
+    }
+    catch {
+        /* ignore */
+    }
+}
+export function auditLog(entry) {
+    // Auditing must never block the actual operation. If the FS isn't writable
+    // (read-only mount, missing dir, mocked-out tests, etc.), surface a single
+    // stderr warning and continue. The op succeeds; we just lose this audit line.
+    try {
+        ensureLog();
+        const line = {
+            ts: new Date().toISOString(),
+            actor: entry.actor ?? getActor(),
+            op: entry.op,
+            app: entry.app,
+            secret: entry.secret,
+            ok: entry.ok,
+            details: entry.details,
+        };
+        appendFileSync(AUDIT_PATH, JSON.stringify(line) + '\n');
+    }
+    catch (err) {
+        process.stderr.write(`[fleet audit] WARNING: failed to write audit entry (${err instanceof Error ? err.message : err})\n`);
+    }
+}
+export function getAuditPath() {
+    return AUDIT_PATH;
+}

package/dist/core/secrets-metadata.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Per-secret metadata: read/write helpers around the optional `secrets` map
+ * on each ManifestEntry. Backwards-compatible: missing entries default to
+ * `lastRotated = entry.lastSealedAt`, provider derived via classifySecret.
+ */
+import { type SecretMetadata } from './secrets.js';
+import { type ProviderDef } from './secrets-providers.js';
+export interface EnrichedSecret {
+    /** The env var (or filename for secrets-dir apps). */
+    name: string;
+    /** Masked value preview, e.g. "sk_***" — never the real value. */
+    maskedValue: string;
+    /** ISO timestamp of last rotation, or last seal if never rotated individually. */
+    lastRotated: string;
+    /** Days since lastRotated. Null if timestamps invalid. */
+    ageDays: number | null;
+    /** Resolved provider definition. May be null if unrecognised. */
+    provider: ProviderDef | null;
+    /** True if older than provider's rotationFrequencyDays. */
+    stale: boolean;
+}
+/** Get raw metadata for a single secret. Returns null if no per-secret entry exists. */
+export declare function getSecretMetadata(app: string, secretName: string): SecretMetadata | null;
+/** Persist metadata for a single secret. Creates the secrets map if missing. */
+export declare function setSecretMetadata(app: string, secretName: string, meta: SecretMetadata): void;
+/** Mark a secret as freshly rotated. Auto-classifies provider if not specified. */
+export declare function markRotated(app: string, secretName: string, opts?: {
+    strategy?: SecretMetadata['strategy'];
+    notes?: string;
+}): SecretMetadata;
+/**
+ * List all secrets in an app, enriched with provider metadata + age + staleness.
+ * Backwards-compatible: secrets without per-secret metadata fall back to lastSealedAt.
+ */
+export declare function enumerateSecrets(app: string): EnrichedSecret[];
+/** All apps × all secrets, enriched. Used by `ages` (no app), MOTD, and bulk reports. */
+export declare function enumerateAllSecrets(): Array<EnrichedSecret & {
+    app: string;
+}>;

package/dist/core/secrets-metadata.js

@@ -0,0 +1,82 @@
+/**
+ * Per-secret metadata: read/write helpers around the optional `secrets` map
+ * on each ManifestEntry. Backwards-compatible: missing entries default to
+ * `lastRotated = entry.lastSealedAt`, provider derived via classifySecret.
+ */
+import { loadManifest, saveManifest, listSecrets } from './secrets.js';
+import { classifySecret, getProviderById, ageInDays, isStale, } from './secrets-providers.js';
+import { SecretsError } from './errors.js';
+/** Get raw metadata for a single secret. Returns null if no per-secret entry exists. */
+export function getSecretMetadata(app, secretName) {
+    const manifest = loadManifest();
+    const entry = manifest.apps[app];
+    if (!entry || !entry.secrets)
+        return null;
+    return entry.secrets[secretName] ?? null;
+}
+/** Persist metadata for a single secret. Creates the secrets map if missing. */
+export function setSecretMetadata(app, secretName, meta) {
+    const manifest = loadManifest();
+    const entry = manifest.apps[app];
+    if (!entry)
+        throw new SecretsError(`No app in manifest: ${app}`);
+    entry.secrets = entry.secrets ?? {};
+    entry.secrets[secretName] = meta;
+    saveManifest(manifest);
+}
+/** Mark a secret as freshly rotated. Auto-classifies provider if not specified. */
+export function markRotated(app, secretName, opts = {}) {
+    const provider = classifySecret(secretName);
+    const meta = {
+        lastRotated: new Date().toISOString(),
+        provider: provider?.id,
+        strategy: opts.strategy ?? provider?.strategy,
+        notes: opts.notes,
+    };
+    setSecretMetadata(app, secretName, meta);
+    return meta;
+}
+/**
+ * List all secrets in an app, enriched with provider metadata + age + staleness.
+ * Backwards-compatible: secrets without per-secret metadata fall back to lastSealedAt.
+ */
+export function enumerateSecrets(app) {
+    const manifest = loadManifest();
+    const entry = manifest.apps[app];
+    if (!entry)
+        throw new SecretsError(`No app in manifest: ${app}`);
+    const items = listSecrets(app); // already returns { key, maskedValue }
+    const fallbackTs = entry.lastSealedAt;
+    return items.map(({ key, maskedValue }) => {
+        const stored = entry.secrets?.[key];
+        const provider = (stored?.provider ? getProviderById(stored.provider) : null) ?? classifySecret(key);
+        const lastRotated = stored?.lastRotated ?? fallbackTs;
+        const ageDays = ageInDays(lastRotated);
+        return {
+            name: key,
+            maskedValue,
+            lastRotated,
+            ageDays,
+            provider,
+            stale: isStale(ageDays, provider),
+        };
+    });
+}
+/** All apps × all secrets, enriched. Used by `ages` (no app), MOTD, and bulk reports. */
+export function enumerateAllSecrets() {
+    const manifest = loadManifest();
+    const out = [];
+    for (const app of Object.keys(manifest.apps)) {
+        try {
+            for (const s of enumerateSecrets(app))
+                out.push({ app, ...s });
+        }
+        catch (err) {
+            // App may be sealed-but-unreadable (e.g. key missing). Continue but
+            // log so a corrupt manifest entry doesn't masquerade as "no secrets".
+            const msg = err instanceof Error ? err.message : String(err);
+            process.stderr.write(`[fleet secrets] skipped ${app}: ${msg}\n`);
+        }
+    }
+    return out;
+}

package/dist/core/secrets-motd.d.ts

@@ -0,0 +1,20 @@
+/**
+ * MOTD reporter: short summary of secret rotation health, intended for
+ * /etc/update-motd.d/99-fleet-secrets to print on shell login.
+ */
+import type { Sensitivity } from './secrets-providers.js';
+export interface SecretsMotdSummary {
+    totalSecrets: number;
+    staleCount: number;
+    bySensitivity: Record<Sensitivity, number>;
+    appsWithStale: string[];
+    topStale: Array<{
+        app: string;
+        name: string;
+        ageDays: number;
+        sensitivity: Sensitivity;
+    }>;
+}
+export declare function summariseSecrets(): SecretsMotdSummary;
+export declare function formatSecretsMotd(summary: SecretsMotdSummary): string;
+export declare function generateSecretsMotdScript(): string;