@matthesketh/fleet 1.7.0 → 1.8.0

package/dist/commands/guard.js

@@ -17,6 +17,7 @@ const STATE_DIR = '/var/lib/fleet-guard';
 const LOG_DIR = '/var/log/fleet-guard';
 const SNAP_DIR = '/var/lib/cf-snapshots';
 const CRON_TARGET = '/etc/cron.d/cf-protect';
+const LOGROTATE_TARGET = '/etc/logrotate.d/fleet-guard';
 function scriptsDir() {
     // dist/commands/guard.js -> ../../scripts/guard relative to compiled file
     const here = dirname(fileURLToPath(import.meta.url));
@@ -77,6 +78,16 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
     writeFileSync(CRON_TARGET, cron, { mode: 0o644 });
     info(`installed cron at ${CRON_TARGET}`);
 }
+function installLogrotate() {
+    const src = join(scriptsDir(), 'logrotate.d-fleet-guard');
+    if (!existsSync(src)) {
+        info('logrotate template missing, skipping');
+        return;
+    }
+    copyFileSync(src, LOGROTATE_TARGET);
+    chmodSync(LOGROTATE_TARGET, 0o644);
+    info(`installed logrotate at ${LOGROTATE_TARGET}`);
+}
 function installCommand() {
     requireRoot();
     ensureUser();
@@ -88,6 +99,7 @@ function installCommand() {
     ensureDir(SNAP_DIR, 0o700);
     installScripts();
     installCron();
+    installLogrotate();
     success('fleet guard installed.');
     info('next steps:');
     info('  1. seed creds at /etc/fleet/guard.cf.json (cloudflare api key + email + accountId)');
@@ -113,6 +125,9 @@ function helpText() {
         '  reject <token>                     reject a pending action',
         '  show <token>                       dump one record',
         '  execute                            run all approved actions',
+        '  policy show [zone]                 print policy (or effective hold list for zone)',
+        '  policy set <zone|default> <list>   override hold list (comma-separated)',
+        '  policy reset [zone]                reset zone (or all) to defaults',
     ].join('\n');
 }
 export function guardCommand(args) {
@@ -131,7 +146,7 @@ export function guardCommand(args) {
         }
         return;
     }
-    const passthrough = new Set(['status', 'list', 'hold', 'approve', 'reject', 'show', 'execute']);
+    const passthrough = new Set(['status', 'list', 'hold', 'approve', 'reject', 'show', 'execute', 'policy']);
     if (passthrough.has(sub)) {
         const code = delegate(sub, rest);
         if (code !== 0)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@matthesketh/fleet",
-  "version": "1.7.0",
+  "version": "1.8.0",
   "description": "Docker production management CLI + MCP server for Claude Code",
   "type": "module",
   "main": "dist/index.js",

package/scripts/guard/cf-audit-monitor

@@ -34,15 +34,9 @@ NOISY_ACTIONS = {
     "search",
 }
 
-# event action types that should always create a hold (require approval)
-# instead of merely notifying. these are the destructive / hijack-shaped ones.
-HOLD_ACTIONS = {
-    "zone_delete", "zone_create", "zone_settings_change",
-    "ns_change", "transfer_in", "transfer_out",
-    "member_add", "member_remove",
-    "api_token_create", "api_token_delete",
-    "ssl_change",
-}
+# hold/notify decision is delegated to `fleet-guard policy effective` so
+# admins can override per-zone via /etc/fleet/guard.policy.json. defaults
+# match the destructive / hijack-shaped action types and live in fleet-guard.
 
 
 def read_creds():
@@ -97,6 +91,20 @@ def classify(action_type):
     return "alert"
 
 
+def policy_decision(action, zone):
+    """ask fleet-guard which bucket this action falls in for the given zone.
+    on any error fall back to 'notify' so we don't drop signals."""
+    try:
+        cmd = [GUARD, "policy", "effective", action]
+        if zone:
+            cmd.extend(["--zone", zone])
+        res = run(cmd, capture_output=True, text=True, timeout=10)
+        decision = (res.stdout or "").strip()
+        return decision if decision in ("hold", "notify") else "notify"
+    except Exception:
+        return "notify"
+
+
 def notify(title, body):
     run([NOTIFIER, title, body], check=False)
 
@@ -141,7 +149,8 @@ def main():
     alerts = [ev for ev in events if classify((ev.get("action") or {}).get("type")) == "alert"]
     for ev in alerts:
         action = (ev.get("action") or {}).get("type") or ""
-        if action in HOLD_ACTIONS:
+        zone = (ev.get("metadata") or {}).get("zone") or (ev.get("resource") or {}).get("id", "") if (ev.get("resource") or {}).get("type") == "zone" else ""
+        if policy_decision(action, zone) == "hold":
             # destructive — create a fleet-guard hold instead of just notifying.
             # the cli itself fires the notification with approval token.
             payload = {

package/scripts/guard/fleet-guard

@@ -38,12 +38,24 @@ ROOT = Path("/var/lib/fleet-guard")
 LOG = Path("/var/log/fleet-guard/audit.jsonl")
 NOTIFY = "/usr/local/sbin/notify"
 GUARD_CFG = Path("/etc/fleet/guard.json")
+POLICY_CFG = Path("/etc/fleet/guard.policy.json")
 DEFAULT_TTL = 600
 
 PENDING = ROOT / "pending"
 APPROVED = ROOT / "approved"
 PROCESSED = ROOT / "processed"
 
+# baseline policy: which audit-log action types create a hold (require
+# approval) vs just notify. cf-audit-monitor consults `policy effective`
+# per-event so admins can override per-zone via /etc/fleet/guard.policy.json.
+DEFAULT_HOLD_ACTIONS = [
+    "zone_delete", "zone_create", "zone_settings_change",
+    "ns_change", "transfer_in", "transfer_out",
+    "member_add", "member_remove",
+    "api_token_create", "api_token_delete",
+    "ssl_change",
+]
+
 
 def utcnow():
     return datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
@@ -211,6 +223,78 @@ def cmd_status(args):
     return 0
 
 
+def load_policy():
+    """returns {'default': {'hold': [...]}, 'zones': {<zone>: {'hold': [...]}}}.
+    missing file or invalid json → defaults only."""
+    if not POLICY_CFG.exists():
+        return {"default": {"hold": list(DEFAULT_HOLD_ACTIONS)}, "zones": {}}
+    try:
+        raw = json.loads(POLICY_CFG.read_text())
+    except Exception:
+        return {"default": {"hold": list(DEFAULT_HOLD_ACTIONS)}, "zones": {}}
+    raw.setdefault("default", {})
+    raw["default"].setdefault("hold", list(DEFAULT_HOLD_ACTIONS))
+    raw.setdefault("zones", {})
+    return raw
+
+
+def save_policy(policy):
+    POLICY_CFG.parent.mkdir(parents=True, exist_ok=True)
+    tmp = POLICY_CFG.with_suffix(".json.tmp")
+    tmp.write_text(json.dumps(policy, indent=2, sort_keys=True))
+    tmp.rename(POLICY_CFG)
+    os.chmod(POLICY_CFG, 0o640)
+
+
+def effective_hold_list(policy, zone):
+    """zone-level override wins; falls back to default."""
+    if zone:
+        z = policy.get("zones", {}).get(zone)
+        if z and "hold" in z:
+            return z["hold"]
+    return policy.get("default", {}).get("hold", DEFAULT_HOLD_ACTIONS)
+
+
+def cmd_policy(args):
+    sub = args.policy_cmd
+    policy = load_policy()
+    if sub == "show":
+        if args.zone:
+            hold = effective_hold_list(policy, args.zone)
+            print(json.dumps({"zone": args.zone, "hold": hold}, indent=2))
+        else:
+            print(json.dumps(policy, indent=2, sort_keys=True))
+        return 0
+    if sub == "set":
+        actions = [a.strip() for a in args.actions.split(",") if a.strip()]
+        if args.zone == "default":
+            policy.setdefault("default", {})["hold"] = actions
+        else:
+            policy.setdefault("zones", {}).setdefault(args.zone, {})["hold"] = actions
+        save_policy(policy)
+        log_event({"event": "policy_set", "zone": args.zone, "actions": actions})
+        print(f"set {args.zone} hold={actions}")
+        return 0
+    if sub == "reset":
+        if args.zone == "default" or args.zone == "":
+            policy["default"] = {"hold": list(DEFAULT_HOLD_ACTIONS)}
+            policy["zones"] = {}
+        else:
+            policy.get("zones", {}).pop(args.zone, None)
+        save_policy(policy)
+        log_event({"event": "policy_reset", "zone": args.zone or "all"})
+        print(f"reset {args.zone or 'all'}")
+        return 0
+    if sub == "effective":
+        # used by cf-audit-monitor. prints "hold" or "notify" then exits 0.
+        hold = effective_hold_list(policy, args.zone)
+        decision = "hold" if args.action in hold else "notify"
+        print(decision)
+        return 0
+    print(f"unknown policy subcommand: {sub}", file=sys.stderr)
+    return 1
+
+
 def cmd_execute(args):
     """invoke executor for each approved record. external script handles each kind."""
     executor = "/usr/local/sbin/fleet-guard-execute"
@@ -274,6 +358,20 @@ def main():
     sp = sub.add_parser("execute")
     sp.set_defaults(fn=cmd_execute)
 
+    sp = sub.add_parser("policy", help="view/edit hold-action policy")
+    psub = sp.add_subparsers(dest="policy_cmd", required=True)
+    pshow = psub.add_parser("show", help="print policy (or effective hold list for zone)")
+    pshow.add_argument("zone", nargs="?", default="")
+    pset = psub.add_parser("set", help="set hold-action list for default or zone")
+    pset.add_argument("zone")
+    pset.add_argument("actions", help="comma-separated action types")
+    preset = psub.add_parser("reset", help="reset policy: omit zone to wipe all overrides")
+    preset.add_argument("zone", nargs="?", default="")
+    peff = psub.add_parser("effective", help="print 'hold' or 'notify' for an action+zone")
+    peff.add_argument("action")
+    peff.add_argument("--zone", default="")
+    sp.set_defaults(fn=cmd_policy)
+
     args = p.parse_args()
     sys.exit(args.fn(args))
 

package/scripts/guard/logrotate.d-fleet-guard

@@ -0,0 +1,31 @@
+/var/log/fleet-guard/*.log
+/var/log/cf-audit-monitor.log
+/var/log/cf-snapshot.log
+/var/log/dns-drift-watch.log
+/var/log/cert-expiry-watch.log
+/var/log/refresh-cf-firewall.log
+{
+    daily
+    rotate 30
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 600 fleet-guard fleet-guard
+    sharedscripts
+    su root root
+}
+
+/var/log/fleet-guard/audit.jsonl
+/var/log/mcp-audit.jsonl
+{
+    monthly
+    rotate 12
+    compress
+    delaycompress
+    missingok
+    notifempty
+    copytruncate
+    create 600 root root
+    su root root
+}