@matthesketh/fleet 1.8.0 → 1.11.0

package/dist/core/boot-refresh.d.ts

@@ -33,7 +33,7 @@ export type BuildResult = {
     reason: 'build-failed';
 };
 export declare function buildIfStale(app: AppEntry, currentHead: string): BuildResult;
-export declare function recordBuiltCommit(appName: string, commit: string): void;
+export declare function recordBuiltCommit(appName: string, commit: string): Promise<void>;
 export declare const KILL_SWITCH = "/etc/fleet/no-auto-refresh";
 export declare const DEFAULT_WALL_CLOCK_MS = 900000;
 export type RefreshResult = {

package/dist/core/boot-refresh.js

@@ -1,7 +1,7 @@
 import { existsSync } from 'node:fs';
 import { isGitRepo, getGitStatus } from './git.js';
 import { execGit } from './exec.js';
-import { load, save } from './registry.js';
+import { withRegistry } from './registry.js';
 import { composeBuild } from './docker.js';
 export function preflight(projectRoot) {
     if (!isGitRepo(projectRoot))
@@ -53,13 +53,14 @@ export function buildIfStale(app, currentHead) {
         return { ok: false, reason: 'build-failed' };
     return { ok: true, built: true };
 }
-export function recordBuiltCommit(appName, commit) {
-    const reg = load();
-    const i = reg.apps.findIndex(a => a.name === appName);
-    if (i < 0)
-        return;
-    reg.apps[i] = { ...reg.apps[i], lastBuiltCommit: commit };
-    save(reg);
+export async function recordBuiltCommit(appName, commit) {
+    await withRegistry(reg => {
+        const i = reg.apps.findIndex(a => a.name === appName);
+        if (i < 0)
+            return reg;
+        reg.apps[i] = { ...reg.apps[i], lastBuiltCommit: commit };
+        return reg;
+    });
 }
 export const KILL_SWITCH = '/etc/fleet/no-auto-refresh';
 function killSwitchPath() {
@@ -80,7 +81,7 @@ async function doRefresh(app) {
     if (!build.ok)
         return { kind: 'failed-safe', step: 'build', detail: build.reason };
     if (build.built)
-        recordBuiltCommit(app.name, ff.newHead);
+        await recordBuiltCommit(app.name, ff.newHead);
     if (!ff.changed && !build.built)
         return { kind: 'no-change', head: ff.newHead };
     return { kind: 'refreshed', head: ff.newHead, built: build.built };

package/dist/core/deps/actors/pr-creator.d.ts

@@ -2,13 +2,15 @@ import type { AppEntry } from '../../registry.js';
 import type { Finding } from '../types.js';
 export interface VersionBump {
     file: string;
-    search: string;
+    searchRegex: RegExp;
     replace: string;
 }
 export declare function generateVersionBump(finding: Finding): VersionBump | null;
 export declare function buildPrBody(findings: Finding[]): string;
-export declare function createDepsPr(app: AppEntry, findings: Finding[], dryRun: boolean): {
+export interface CreateDepsPrResult {
     branch: string;
     bumps: VersionBump[];
     prUrl?: string;
-};
+    error?: string;
+}
+export declare function createDepsPr(app: AppEntry, findings: Finding[], dryRun: boolean): CreateDepsPrResult;

package/dist/core/deps/actors/pr-creator.js

@@ -1,34 +1,41 @@
 import { readFileSync, writeFileSync, existsSync } from 'node:fs';
 import { join } from 'node:path';
 import { execSafe } from '../../exec.js';
+import { getGitStatus } from '../../git.js';
+function escapeRegex(s) {
+    return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
 export function generateVersionBump(finding) {
     if (!finding.fixable || !finding.package || !finding.currentVersion || !finding.latestVersion) {
         return null;
     }
+    const escName = escapeRegex(finding.package);
+    const escCurrent = escapeRegex(finding.currentVersion);
     switch (finding.source) {
         case 'npm':
             return {
                 file: 'package.json',
-                search: `"${finding.package}": "${finding.currentVersion}"`,
-                replace: `"${finding.package}": "${finding.latestVersion}"`,
+                // capture optional leading range operator (^, ~, >=, <=, >, <, =) so it survives the rewrite
+                searchRegex: new RegExp(`("${escName}"\\s*:\\s*")([\\^~>=<]*)${escCurrent}(")`),
+                replace: `$1$2${finding.latestVersion}$3`,
             };
         case 'composer':
             return {
                 file: 'composer.json',
-                search: `"${finding.package}": "${finding.currentVersion}"`,
-                replace: `"${finding.package}": "${finding.latestVersion}"`,
+                searchRegex: new RegExp(`("${escName}"\\s*:\\s*")([\\^~>=<]*)${escCurrent}(")`),
+                replace: `$1$2${finding.latestVersion}$3`,
             };
         case 'pip':
             return {
                 file: 'requirements.txt',
-                search: `${finding.package}==${finding.currentVersion}`,
-                replace: `${finding.package}==${finding.latestVersion}`,
+                searchRegex: new RegExp(`(${escName}==)${escCurrent}\\b`),
+                replace: `$1${finding.latestVersion}`,
             };
         case 'docker-image':
             return {
                 file: 'Dockerfile',
-                search: `${finding.package}:${finding.currentVersion}`,
-                replace: `${finding.package}:${finding.latestVersion}`,
+                searchRegex: new RegExp(`(${escName}:)${escCurrent}\\b`),
+                replace: `$1${finding.latestVersion}`,
             };
         default:
             return null;
@@ -74,25 +81,71 @@ export function createDepsPr(app, findings, dryRun) {
     if (dryRun) {
         return { branch, bumps };
     }
+    // Working-tree precheck: refuse to operate on a dirty repo. Otherwise the
+    // checkout/pull below can fail mid-way and leave the repo in a partial state,
+    // or worse, run on stale content.
+    const status = getGitStatus(app.composePath);
+    if (!status.initialised) {
+        return { branch: '', bumps: [], error: `${app.composePath} is not a git repo` };
+    }
+    if (!status.clean) {
+        return {
+            branch: '',
+            bumps: [],
+            error: `working tree at ${app.composePath} is dirty (${status.staged} staged, ${status.modified} modified, ${status.untracked} untracked) — commit or stash before running deps fix`,
+        };
+    }
     const sshEnv = process.env.SSH_AUTH_SOCK ? { SSH_AUTH_SOCK: process.env.SSH_AUTH_SOCK } : {};
-    execSafe('git', ['checkout', 'develop'], { cwd: app.composePath });
-    execSafe('git', ['pull'], { cwd: app.composePath, env: sshEnv });
-    execSafe('git', ['checkout', '-b', branch], { cwd: app.composePath });
+    const checkoutDevelop = execSafe('git', ['checkout', 'develop'], { cwd: app.composePath });
+    if (!checkoutDevelop.ok) {
+        return { branch: '', bumps: [], error: `git checkout develop failed: ${checkoutDevelop.stderr}` };
+    }
+    const pull = execSafe('git', ['pull'], { cwd: app.composePath, env: sshEnv });
+    if (!pull.ok) {
+        return { branch: '', bumps: [], error: `git pull failed: ${pull.stderr}` };
+    }
+    const checkoutBranch = execSafe('git', ['checkout', '-b', branch], { cwd: app.composePath });
+    if (!checkoutBranch.ok) {
+        return { branch: '', bumps: [], error: `git checkout -b ${branch} failed: ${checkoutBranch.stderr}` };
+    }
+    // Apply each bump and track which files actually changed.
+    const changedFiles = new Set();
     for (const bump of bumps) {
         const filePath = join(app.composePath, bump.file);
         if (!existsSync(filePath))
             continue;
-        let content = readFileSync(filePath, 'utf-8');
-        content = content.replace(bump.search, bump.replace);
-        writeFileSync(filePath, content);
+        const before = readFileSync(filePath, 'utf-8');
+        const after = before.replace(bump.searchRegex, bump.replace);
+        if (after !== before) {
+            writeFileSync(filePath, after);
+            changedFiles.add(bump.file);
+        }
+    }
+    // Range mismatch / unknown file content / nothing to update — abort before
+    // committing or pushing so we never open an empty PR.
+    if (changedFiles.size === 0) {
+        return {
+            branch: '',
+            bumps: [],
+            error: `no files changed: regex did not match any of ${[...new Set(bumps.map(b => b.file))].join(', ')}; the manifest may already be at the target version, or the version range syntax is unsupported`,
+        };
+    }
+    const files = [...changedFiles];
+    const add = execSafe('git', ['add', ...files], { cwd: app.composePath });
+    if (!add.ok) {
+        return { branch: '', bumps: [], error: `git add failed: ${add.stderr}` };
     }
-    const files = [...new Set(bumps.map(b => b.file))];
-    execSafe('git', ['add', ...files], { cwd: app.composePath });
     const commitMsg = bumps.length === 1
         ? `chore(deps): update ${fixable[0].package} from ${fixable[0].currentVersion} to ${fixable[0].latestVersion}`
         : `chore(deps): update ${bumps.length} dependencies`;
-    execSafe('git', ['commit', '-m', commitMsg], { cwd: app.composePath });
-    execSafe('git', ['push', '-u', 'origin', branch], { cwd: app.composePath, env: sshEnv });
+    const commit = execSafe('git', ['commit', '-m', commitMsg], { cwd: app.composePath });
+    if (!commit.ok) {
+        return { branch: '', bumps: [], error: `git commit failed: ${commit.stderr}` };
+    }
+    const push = execSafe('git', ['push', '-u', 'origin', branch], { cwd: app.composePath, env: sshEnv });
+    if (!push.ok) {
+        return { branch: '', bumps: [], error: `git push failed: ${push.stderr}` };
+    }
     if (!app.gitRepo)
         return { branch, bumps };
     const prBody = buildPrBody(fixable);

package/dist/core/deps/collectors/fetch-with-timeout.d.ts

@@ -0,0 +1,7 @@
+/**
+ * fetch wrapper that aborts after `timeoutMs`.
+ *
+ * Used by collectors that hit third-party HTTP services (OSV, npm registry).
+ * Without this, a hung peer would stall an entire scan indefinitely.
+ */
+export declare function fetchWithTimeout(url: string, init?: RequestInit, timeoutMs?: number): Promise<Response>;

package/dist/core/deps/collectors/fetch-with-timeout.js

@@ -0,0 +1,16 @@
+/**
+ * fetch wrapper that aborts after `timeoutMs`.
+ *
+ * Used by collectors that hit third-party HTTP services (OSV, npm registry).
+ * Without this, a hung peer would stall an entire scan indefinitely.
+ */
+export async function fetchWithTimeout(url, init = {}, timeoutMs = 10_000) {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeoutMs);
+    try {
+        return await fetch(url, { ...init, signal: controller.signal });
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}

package/dist/core/deps/collectors/npm.js

@@ -1,6 +1,8 @@
 import { readFileSync, existsSync } from 'node:fs';
 import { join } from 'node:path';
 import { severityFromVersionDelta } from '../severity.js';
+import { fetchWithTimeout } from './fetch-with-timeout.js';
+const NPM_REGISTRY_TIMEOUT_MS = 10_000;
 export class NpmCollector {
     overrides;
     type = 'npm';
@@ -37,7 +39,7 @@ export class NpmCollector {
     async checkPackage(appName, name, currentRaw) {
         const current = currentRaw.replace(/^[^\d]*/, '');
         try {
-            const res = await fetch(`https://registry.npmjs.org/${encodeURIComponent(name)}/latest`);
+            const res = await fetchWithTimeout(`https://registry.npmjs.org/${encodeURIComponent(name)}/latest`, {}, NPM_REGISTRY_TIMEOUT_MS);
             if (!res.ok)
                 return null;
             const data = await res.json();

package/dist/core/deps/collectors/vulnerability.d.ts

@@ -2,6 +2,14 @@ import type { AppEntry } from '../../registry.js';
 import type { Collector, Finding } from '../types.js';
 export declare class VulnerabilityCollector implements Collector {
     type: "vulnerability";
+    private skipRegexes;
+    /**
+     * @param osvSkipPatterns regex strings matched against bare package names.
+     * Matching packages are NOT sent to OSV (https://api.osv.dev), which is a
+     * third-party service. This prevents leaking private/internal package
+     * manifests to a third party.
+     */
+    constructor(osvSkipPatterns?: string[]);
     detect(appPath: string): boolean;
     collect(app: AppEntry): Promise<Finding[]>;
     private extractPackages;

package/dist/core/deps/collectors/vulnerability.js

@@ -1,8 +1,29 @@
 import { readFileSync, existsSync } from 'node:fs';
 import { join } from 'node:path';
 import { severityFromCvss } from '../severity.js';
+import { fetchWithTimeout } from './fetch-with-timeout.js';
+const OSV_TIMEOUT_MS = 10_000;
 export class VulnerabilityCollector {
     type = 'vulnerability';
+    skipRegexes;
+    /**
+     * @param osvSkipPatterns regex strings matched against bare package names.
+     * Matching packages are NOT sent to OSV (https://api.osv.dev), which is a
+     * third-party service. This prevents leaking private/internal package
+     * manifests to a third party.
+     */
+    constructor(osvSkipPatterns = []) {
+        this.skipRegexes = osvSkipPatterns
+            .map(p => {
+            try {
+                return new RegExp(p);
+            }
+            catch {
+                return null;
+            }
+        })
+            .filter((r) => r !== null);
+    }
     detect(appPath) {
         return (existsSync(join(appPath, 'package.json')) ||
             existsSync(join(appPath, 'composer.json')) ||
@@ -63,18 +84,26 @@ export class VulnerabilityCollector {
             }
             catch { /* skip */ }
         }
+        // Filter out packages that match any configured skip pattern. OSV is a
+        // third-party service (api.osv.dev, operated by Google), so the request
+        // payload is the package name + version. Internal/private package names
+        // would otherwise be exfiltrated. The default config skips the user's
+        // own npm scope.
+        if (this.skipRegexes.length > 0) {
+            return packages.filter(p => !this.skipRegexes.some(rx => rx.test(p.name)));
+        }
         return packages;
     }
     async queryOsv(appName, pkg) {
         try {
-            const res = await fetch('https://api.osv.dev/v1/query', {
+            const res = await fetchWithTimeout('https://api.osv.dev/v1/query', {
                 method: 'POST',
                 headers: { 'Content-Type': 'application/json' },
                 body: JSON.stringify({
                     version: pkg.version,
                     package: { name: pkg.name, ecosystem: pkg.ecosystem },
                 }),
-            });
+            }, OSV_TIMEOUT_MS);
             if (!res.ok)
                 return [];
             const data = await res.json();

package/dist/core/deps/config.js

@@ -21,6 +21,12 @@ export function defaultConfig() {
             minorVersionBehind: 'medium',
             patchVersionBehind: 'low',
         },
+        // Skip OSV lookups for the user's own npm scope by default — OSV is a
+        // third-party service (Google) and sending internal package names there
+        // leaks the proprietary dependency manifest. Backwards compat: if an
+        // existing deps-config.json is missing this field, mergeConfig fills it
+        // in from these defaults.
+        osvSkipPatterns: ['^@matthesketh/'],
     };
 }
 export function mergeConfig(base, overrides) {

package/dist/core/deps/scanner.js

@@ -14,7 +14,7 @@ export function createCollectors(config) {
         new DockerImageCollector(config.severityOverrides),
         new DockerRunningCollector(config.severityOverrides),
         new EolCollector(config.severityOverrides.eolDaysWarning),
-        new VulnerabilityCollector(),
+        new VulnerabilityCollector(config.osvSkipPatterns),
         new GitHubPrCollector(),
     ];
 }

package/dist/core/deps/types.d.ts

@@ -48,6 +48,14 @@ export interface DepsConfig {
         minorVersionBehind: Severity;
         patchVersionBehind: Severity;
     };
+    /**
+     * Regex strings (matched against bare package name) of packages that must
+     * NOT be queried against OSV (https://api.osv.dev). OSV is a third-party
+     * service operated by Google; sending private/internal package names there
+     * leaks the proprietary dependency manifest. Default skips the user's own
+     * npm scope.
+     */
+    osvSkipPatterns: string[];
 }
 export interface DepsCache {
     version: 1;

package/dist/core/env.d.ts

@@ -0,0 +1,3 @@
+/** returns a required env var, or throws a clear error. use for secrets,
+ *  keys and credential paths where a silent default would be dangerous. */
+export declare function requireEnv(name: string): string;

package/dist/core/env.js

@@ -0,0 +1,11 @@
+import { FleetError } from './errors.js';
+/** returns a required env var, or throws a clear error. use for secrets,
+ *  keys and credential paths where a silent default would be dangerous. */
+export function requireEnv(name) {
+    const value = process.env[name];
+    if (value === undefined || value === '') {
+        throw new FleetError(`required environment variable ${name} is not set — ` +
+            `it has no safe default and must be provided explicitly`);
+    }
+    return value;
+}

package/dist/core/exec.d.ts

@@ -9,6 +9,7 @@ export declare function execSafe(cmd: string, args: string[], opts?: {
     cwd?: string;
     env?: Record<string, string>;
     input?: string;
+    maxBuffer?: number;
 }): ExecResult;
 export declare function execGit(args: string[], opts: {
     cwd: string;

package/dist/core/exec.js

@@ -7,6 +7,10 @@ export function execSafe(cmd, args, opts = {}) {
         encoding: 'utf-8',
         stdio: 'pipe',
         input: opts.input,
+        // node's default is 1mb. restic --json on a long-running snapshot emits
+        // hundreds of progress lines that easily blow past that; bump to 256mb
+        // so a multi-hour run can't hit ENOBUFS just from status chatter.
+        maxBuffer: opts.maxBuffer ?? 256 * 1024 * 1024,
     });
     if (result.error) {
         return {

package/dist/core/file-lock.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Inter-process lock around a state-file path. Uses proper-lockfile (the same
+ * dependency the claude-cli runner uses for its mutex), which creates a
+ * <path>.lock directory atomically via mkdir(2).
+ *
+ * The wrapped path itself does not need to exist yet — `realpath: false`
+ * tells proper-lockfile to skip the realpath check, so we can lock around a
+ * registry/manifest file that hasn't been written for the first time. The
+ * parent directory of <path> must exist (we ensureDir below) so the .lock
+ * mkdir can succeed.
+ *
+ * Important: this lock is NOT reentrant. Callers should wrap the outermost
+ * read-modify-write boundary (e.g. a CLI command, an MCP tool handler, a
+ * cron entry) and let inner helpers do plain unlocked reads/writes; the lock
+ * bounds the whole RMW. Locking inside helpers that the outer caller already
+ * locked will deadlock.
+ */
+export declare function withFileLock<T>(path: string, fn: () => Promise<T> | T): Promise<T>;

package/dist/core/file-lock.js

@@ -0,0 +1,44 @@
+import { existsSync, mkdirSync } from 'node:fs';
+import { dirname } from 'node:path';
+import lockfile from 'proper-lockfile';
+/**
+ * Inter-process lock around a state-file path. Uses proper-lockfile (the same
+ * dependency the claude-cli runner uses for its mutex), which creates a
+ * <path>.lock directory atomically via mkdir(2).
+ *
+ * The wrapped path itself does not need to exist yet — `realpath: false`
+ * tells proper-lockfile to skip the realpath check, so we can lock around a
+ * registry/manifest file that hasn't been written for the first time. The
+ * parent directory of <path> must exist (we ensureDir below) so the .lock
+ * mkdir can succeed.
+ *
+ * Important: this lock is NOT reentrant. Callers should wrap the outermost
+ * read-modify-write boundary (e.g. a CLI command, an MCP tool handler, a
+ * cron entry) and let inner helpers do plain unlocked reads/writes; the lock
+ * bounds the whole RMW. Locking inside helpers that the outer caller already
+ * locked will deadlock.
+ */
+export async function withFileLock(path, fn) {
+    const dir = dirname(path);
+    if (!existsSync(dir))
+        mkdirSync(dir, { recursive: true });
+    const release = await lockfile.lock(path, {
+        // Inter-process contention is normally microseconds (one process writes,
+        // releases). Retry up to ~5s of backoff so a slow disk / paused process
+        // doesn't immediately error out the second caller.
+        retries: { retries: 5, factor: 1.5, minTimeout: 50, maxTimeout: 500 },
+        // If a process crashes mid-lock, the .lock dir's mtime stops being
+        // refreshed. Anyone waiting longer than `stale` ms treats the lock as
+        // abandoned and steals it. 30s is generous for the kinds of operations
+        // that touch the registry/manifest (a write is < 100ms typically).
+        stale: 30_000,
+        // Allow locking paths that don't exist on disk yet (first-write case).
+        realpath: false,
+    });
+    try {
+        return await fn();
+    }
+    finally {
+        await release();
+    }
+}

package/dist/core/git-onboard.js

@@ -4,23 +4,20 @@ import { load, findApp, save } from './registry.js';
 export function detectScenario(status) {
     if (!status.initialised)
         return 'fresh';
-    if (status.remoteUrl && status.remoteUrl.includes('heskethwebdesign/'))
-        return 'resume';
-    if (status.remoteUrl && status.remoteUrl.includes('wrxck/'))
-        return 'migrate';
     if (!status.remoteUrl)
         return 'no-remote';
-    return 'fresh';
+    // a remote already on the configured org is a resume; any other org is a migrate.
+    return status.remoteUrl.includes(`${github.githubOrg()}/`) ? 'resume' : 'migrate';
 }
 export function describeOnboardPlan(scenario, repoName, _status) {
-    const repoUrl = `git@github.com:heskethwebdesign/${repoName}.git`;
+    const repoUrl = `git@github.com:${github.githubOrg()}/${repoName}.git`;
     const steps = [];
     switch (scenario) {
         case 'fresh':
             steps.push('generate .gitignore');
             steps.push('git init -b main');
             steps.push('git add . && git commit -m "initial commit"');
-            steps.push(`create private repo heskethwebdesign/${repoName}`);
+            steps.push(`create private repo ${github.githubOrg()}/${repoName}`);
             steps.push(`add remote origin ${repoUrl}`);
             steps.push('push main');
             steps.push('create and push develop branch');
@@ -29,7 +26,7 @@ export function describeOnboardPlan(scenario, repoName, _status) {
             break;
         case 'migrate':
             steps.push('ensure .gitignore exists');
-            steps.push(`create private repo heskethwebdesign/${repoName}`);
+            steps.push(`create private repo ${github.githubOrg()}/${repoName}`);
             steps.push(`git remote set-url origin ${repoUrl}`);
             steps.push('git push --all origin');
             steps.push('ensure develop branch exists');
@@ -39,7 +36,7 @@ export function describeOnboardPlan(scenario, repoName, _status) {
         case 'no-remote':
             steps.push('ensure .gitignore exists');
             steps.push('commit any outstanding changes');
-            steps.push(`create private repo heskethwebdesign/${repoName}`);
+            steps.push(`create private repo ${github.githubOrg()}/${repoName}`);
             steps.push(`add remote origin ${repoUrl}`);
             steps.push('git push --all origin');
             steps.push('ensure develop branch exists');
@@ -79,7 +76,7 @@ export function executeOnboard(scenario, cwd, repoName, appName, status) {
             gitCommit(cwd, 'Initial commit');
             steps.push('created initial commit');
             github.createRepo(repoName);
-            steps.push(`created private repo heskethwebdesign/${repoName}`);
+            steps.push(`created private repo ${github.githubOrg()}/${repoName}`);
             gitAddRemote(cwd, 'origin', repoUrl);
             gitPush(cwd, 'main', true);
             steps.push('pushed main to origin');
@@ -90,7 +87,7 @@ export function executeOnboard(scenario, cwd, repoName, appName, status) {
         }
         case 'migrate': {
             github.createRepo(repoName);
-            steps.push(`created private repo heskethwebdesign/${repoName}`);
+            steps.push(`created private repo ${github.githubOrg()}/${repoName}`);
             gitSetRemoteUrl(cwd, repoUrl);
             steps.push(`updated remote to ${repoUrl}`);
             gitPushAll(cwd);
@@ -110,7 +107,7 @@ export function executeOnboard(scenario, cwd, repoName, appName, status) {
                 steps.push('created initial commit');
             }
             github.createRepo(repoName);
-            steps.push(`created private repo heskethwebdesign/${repoName}`);
+            steps.push(`created private repo ${github.githubOrg()}/${repoName}`);
             gitAddRemote(cwd, 'origin', repoUrl);
             gitPushAll(cwd);
             steps.push('added remote and pushed all branches');
@@ -139,7 +136,7 @@ export function executeOnboard(scenario, cwd, repoName, appName, status) {
     const reg = load();
     const app = findApp(reg, appName);
     if (app) {
-        app.gitRepo = `heskethwebdesign/${repoName}`;
+        app.gitRepo = `${github.githubOrg()}/${repoName}`;
         app.gitRemoteUrl = repoUrl;
         app.gitOnboardedAt = new Date().toISOString();
         save(reg);

package/dist/core/github.d.ts

@@ -1,4 +1,6 @@
-export declare const GITHUB_ORG = "heskethwebdesign";
+/** the GitHub org this fleet instance publishes to — from operator config,
+ *  with no default: guessing another operator's org is never correct. */
+export declare function githubOrg(): string;
 export interface PullRequest {
     number: number;
     title: string;

package/dist/core/github.js

@@ -3,8 +3,11 @@ import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 import { execSafe } from './exec.js';
 import { GitError } from './errors.js';
+import { loadOperator } from './operator.js';
 import { assertAppName } from './validate.js';
-export const GITHUB_ORG = 'heskethwebdesign';
+/** the GitHub org this fleet instance publishes to — from operator config,
+ *  with no default: guessing another operator's org is never correct. */
+export function githubOrg() { return loadOperator().githubOrg; }
 export function isGhAuthenticated() {
     return execSafe('gh', ['auth', 'status'], { timeout: 10_000 }).ok;
 }
@@ -15,25 +18,25 @@ export function requireGhAuth() {
 }
 export function repoExists(name) {
     assertAppName(name);
-    return execSafe('gh', ['repo', 'view', `${GITHUB_ORG}/${name}`, '--json', 'name'], { timeout: 15_000 }).ok;
+    return execSafe('gh', ['repo', 'view', `${githubOrg()}/${name}`, '--json', 'name'], { timeout: 15_000 }).ok;
 }
 export function createRepo(name) {
     requireGhAuth();
     assertAppName(name);
     if (repoExists(name))
         return;
-    const r = execSafe('gh', ['repo', 'create', `${GITHUB_ORG}/${name}`, '--private'], { timeout: 30_000 });
+    const r = execSafe('gh', ['repo', 'create', `${githubOrg()}/${name}`, '--private'], { timeout: 30_000 });
     if (!r.ok)
         throw new GitError(`failed to create repo: ${r.stderr}`);
 }
 export function getRepoUrl(name) {
-    return `git@github.com:${GITHUB_ORG}/${name}.git`;
+    return `git@github.com:${githubOrg()}/${name}.git`;
 }
 export function createPullRequest(repo, opts) {
     requireGhAuth();
     const r = execSafe('gh', [
         'pr', 'create',
-        '--repo', `${GITHUB_ORG}/${repo}`,
+        '--repo', `${githubOrg()}/${repo}`,
         '--title', opts.title,
         '--body', opts.body ?? '',
         '--head', opts.head,
@@ -63,7 +66,7 @@ export function listPullRequests(repo, state = 'open') {
     requireGhAuth();
     const r = execSafe('gh', [
         'pr', 'list',
-        '--repo', `${GITHUB_ORG}/${repo}`,
+        '--repo', `${githubOrg()}/${repo}`,
         '--state', state,
         '--json', 'number,title,url,headRefName,baseRefName,state',
     ], { timeout: 15_000 });
@@ -97,7 +100,7 @@ export function protectBranch(repo, branch) {
     try {
         const r = execSafe('gh', [
             'api', '-X', 'PUT',
-            `repos/${GITHUB_ORG}/${repo}/branches/${branch}/protection`,
+            `repos/${githubOrg()}/${repo}/branches/${branch}/protection`,
             '--input', tmpFile,
         ], { timeout: 15_000 });
         return r.ok;

package/dist/core/logs-policy.d.ts

@@ -18,6 +18,11 @@ export declare function effectivePolicy(app: AppEntry): LogPolicy;
  */
 export declare function buildComposeOverride(app: AppEntry, policy: LogPolicy): string;
 export declare function overridePath(app: AppEntry): string;
+/** ensure the app repo's .gitignore covers .fleet/ so the auto-generated
+ *  override file doesn't get committed accidentally. no-op when there's no
+ *  .gitignore (operator may be using a different vcs or none at all) and
+ *  idempotent — never appends a duplicate entry. */
+export declare function ensureFleetGitignored(composePath: string): void;
 export declare function writeComposeOverride(app: AppEntry, policy: LogPolicy): string;
 export interface LogStatus {
     app: string;