@matthesketh/fleet 1.8.0 → 1.11.0

package/dist/core/secrets-v2-creds.d.ts

@@ -0,0 +1,9 @@
+export declare const CRED_DIR = "/etc/fleet/credentials";
+export declare function credentialPathFor(app: string): string;
+export declare function encryptCredential(args: {
+    name: string;
+    plaintext: string;
+    outputPath: string;
+}): void;
+export declare function credentialExists(app: string): boolean;
+export declare function removeCredential(app: string): void;

package/dist/core/secrets-v2-creds.js

@@ -0,0 +1,44 @@
+import { existsSync, mkdirSync, chmodSync, unlinkSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { execSafe } from './exec.js';
+import { SecretsError } from './errors.js';
+export const CRED_DIR = '/etc/fleet/credentials';
+export function credentialPathFor(app) {
+    const p = join(CRED_DIR, `${app}.cred`);
+    if (!p.startsWith(CRED_DIR + '/')) {
+        throw new SecretsError(`invalid app name: ${app}`);
+    }
+    return p;
+}
+export function encryptCredential(args) {
+    const dir = dirname(args.outputPath);
+    if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true, mode: 0o700 });
+    }
+    const r = execSafe('systemd-creds', ['encrypt', '--name', args.name, '-', args.outputPath], { input: args.plaintext });
+    if (!r.ok) {
+        const safeStderr = args.plaintext.length > 0
+            ? r.stderr.split(args.plaintext).join('[redacted]')
+            : r.stderr;
+        throw new SecretsError(`systemd-creds encrypt failed: ${safeStderr}`);
+    }
+    try {
+        chmodSync(args.outputPath, 0o600);
+    }
+    catch (chmodErr) {
+        try {
+            unlinkSync(args.outputPath);
+        }
+        catch { /* ignore */ }
+        throw new SecretsError(`chmod failed for ${args.outputPath}: ${chmodErr.message}`);
+    }
+}
+export function credentialExists(app) {
+    return existsSync(credentialPathFor(app));
+}
+export function removeCredential(app) {
+    const p = credentialPathFor(app);
+    if (existsSync(p)) {
+        unlinkSync(p);
+    }
+}

package/dist/core/secrets-v2-install.d.ts

@@ -0,0 +1,13 @@
+export interface InstallResult {
+    agentBinaryInstalled: boolean;
+    unitFileInstalled: boolean;
+    daemonReloaded: boolean;
+    templateParseable: boolean;
+}
+export declare function installV2(opts?: {
+    dryRun?: boolean;
+    agentSourcePath?: string;
+    destBinaryPath?: string;
+    unitFilePath?: string;
+    vaultPath?: string;
+}): Promise<InstallResult>;

package/dist/core/secrets-v2-install.js

@@ -0,0 +1,76 @@
+import { existsSync, readFileSync, writeFileSync, copyFileSync, chmodSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { execSafe } from './exec.js';
+import { SecretsError } from './errors.js';
+import { generateAgentUnit } from '../templates/agent-unit.js';
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const DEFAULT_AGENT_SOURCE = join(__dirname, '..', 'bin', 'fleet-agent.js');
+const DEFAULT_BINARY_DEST = '/usr/local/bin/fleet-agent';
+const DEFAULT_UNIT_PATH = '/etc/systemd/system/fleet-secrets-agent@.service';
+/** vault dir resolution. mirrors secrets-v2-cleanup.ts — env override
+ *  takes precedence so tests and bespoke deploys both work without
+ *  hardcoding an operator-specific path into the systemd unit. */
+function resolveVaultDir() {
+    return process.env.FLEET_VAULT_DIR ?? join(__dirname, '..', '..', 'vault');
+}
+export async function installV2(opts = {}) {
+    const sourcePath = opts.agentSourcePath ?? DEFAULT_AGENT_SOURCE;
+    const destPath = opts.destBinaryPath ?? DEFAULT_BINARY_DEST;
+    const unitPath = opts.unitFilePath ?? DEFAULT_UNIT_PATH;
+    const vaultPath = opts.vaultPath ?? resolveVaultDir();
+    const dryRun = opts.dryRun ?? false;
+    if (!existsSync(sourcePath)) {
+        throw new SecretsError(`agent binary source not found at ${sourcePath} — run 'npm run build' first`);
+    }
+    const sourceContent = readFileSync(sourcePath);
+    const result = {
+        agentBinaryInstalled: false,
+        unitFileInstalled: false,
+        daemonReloaded: false,
+        templateParseable: false,
+    };
+    // install binary if changed (byte-equal comparison)
+    let needBinaryWrite = !existsSync(destPath);
+    if (!needBinaryWrite) {
+        const existingContent = readFileSync(destPath);
+        needBinaryWrite = !existingContent.equals(sourceContent);
+    }
+    if (needBinaryWrite) {
+        if (!dryRun) {
+            copyFileSync(sourcePath, destPath);
+            chmodSync(destPath, 0o755);
+        }
+        result.agentBinaryInstalled = true;
+    }
+    // install unit file if changed (text-equal comparison)
+    const unitContent = generateAgentUnit(vaultPath);
+    let needUnitWrite = !existsSync(unitPath);
+    if (!needUnitWrite) {
+        const existing = readFileSync(unitPath, 'utf-8');
+        needUnitWrite = existing !== unitContent;
+    }
+    if (needUnitWrite) {
+        if (!dryRun) {
+            writeFileSync(unitPath, unitContent);
+            chmodSync(unitPath, 0o644);
+        }
+        result.unitFileInstalled = true;
+    }
+    // daemon-reload only if we wrote something
+    if ((result.agentBinaryInstalled || result.unitFileInstalled) && !dryRun) {
+        const r = execSafe('systemctl', ['daemon-reload']);
+        if (!r.ok)
+            throw new SecretsError(`systemctl daemon-reload failed: ${r.stderr}`);
+        result.daemonReloaded = true;
+    }
+    // verify template is parseable (soft check — not thrown on failure)
+    if (!dryRun) {
+        const r = execSafe('systemctl', ['cat', 'fleet-secrets-agent@verify.service']);
+        result.templateParseable = r.ok;
+    }
+    else {
+        result.templateParseable = true;
+    }
+    return result;
+}

package/dist/core/secrets-v2-keypair.d.ts

@@ -0,0 +1,10 @@
+export interface Keypair {
+    publicKey: string;
+    privateKey: string;
+}
+export declare function reencryptForRecipient(args: {
+    ciphertext: string;
+    oldKeyPath: string;
+    newRecipient: string;
+}): string;
+export declare function generateKeypair(): Keypair;

package/dist/core/secrets-v2-keypair.js

@@ -0,0 +1,31 @@
+import { execSafe } from './exec.js';
+import { SecretsError } from './errors.js';
+export function reencryptForRecipient(args) {
+    const dec = execSafe('age', ['-d', '-i', args.oldKeyPath], { input: args.ciphertext });
+    if (!dec.ok) {
+        throw new SecretsError(`decrypt failed: ${dec.stderr}`);
+    }
+    const plaintext = dec.stdout;
+    const enc = execSafe('age', ['-r', args.newRecipient, '--armor'], { input: plaintext });
+    if (!enc.ok) {
+        throw new SecretsError(`encrypt failed: ${enc.stderr}`);
+    }
+    return enc.stdout;
+}
+export function generateKeypair() {
+    const r = execSafe('age-keygen', []);
+    if (!r.ok)
+        throw new SecretsError(`age-keygen failed: ${r.stderr}`);
+    const lines = r.stdout.split('\n');
+    const pub = lines.find(l => l.startsWith('# public key: '))?.slice('# public key: '.length).trim();
+    const priv = lines.find(l => l.startsWith('AGE-SECRET-KEY-'))?.trim();
+    if (!pub || !priv) {
+        const safeOut = r.stdout
+            .split('\n')
+            .filter(l => !l.includes('AGE-SECRET-KEY-'))
+            .join('\n')
+            .slice(0, 200);
+        throw new SecretsError(`could not parse age-keygen output: ${safeOut}`);
+    }
+    return { publicKey: pub, privateKey: priv };
+}

package/dist/core/secrets-v2-migrate.d.ts

@@ -0,0 +1,29 @@
+export interface MigrateOpts {
+    app: string;
+    noRestartApp?: boolean;
+    dryRun?: boolean;
+}
+export interface MigrateStep {
+    step: number;
+    name: string;
+    ok: boolean;
+    detail?: string;
+}
+export interface MigrateResult {
+    app: string;
+    snapshotDir: string | null;
+    steps: MigrateStep[];
+    rolledBack: boolean;
+}
+export declare function migrateAppToV2(opts: MigrateOpts): Promise<MigrateResult>;
+export interface RevertOpts {
+    app: string;
+    snapshotTimestamp?: string;
+}
+export interface RevertResult {
+    app: string;
+    snapshotUsed: string;
+    steps: MigrateStep[];
+    ok: boolean;
+}
+export declare function revertAppFromV2(opts: RevertOpts): Promise<RevertResult>;

package/dist/core/secrets-v2-migrate.js

@@ -0,0 +1,395 @@
+import { existsSync, readFileSync, renameSync, unlinkSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { addAgentDependency } from '../templates/app-unit-edit.js';
+import { generateAgentUnit } from '../templates/agent-unit.js';
+import { migrateComposeToV2 } from '../templates/compose-edit.js';
+import { credentialPathFor, encryptCredential, removeCredential } from './secrets-v2-creds.js';
+import { generateKeypair, reencryptForRecipient } from './secrets-v2-keypair.js';
+import { listSnapshots, restoreSnapshot, snapshotApp } from './secrets-v2-snapshot.js';
+import { loadManifest, saveManifest, VAULT_DIR } from './secrets.js';
+/** vault dir resolution. mirrors secrets-v2-cleanup.ts and
+ *  secrets-v2-install.ts — env override takes precedence so the generated
+ *  systemd unit never carries an operator-specific hardcoded path. */
+function resolveVaultDir() {
+    return process.env.FLEET_VAULT_DIR ?? VAULT_DIR;
+}
+import { findApp, load } from './registry.js';
+import { execSafe } from './exec.js';
+import { SecretsError } from './errors.js';
+import { validateApp } from './secrets-validate.js';
+const AGENT_UNIT_PATH = '/etc/systemd/system/fleet-secrets-agent@.service';
+const STEP_NAMES = {
+    1: 'snapshot app state',
+    2: 'generate per-app age keypair',
+    3: 're-encrypt vault blob for new recipient',
+    4: 'install fleet-secrets-agent@ systemd unit template',
+    5: 'migrate compose file to v2 socket mode',
+    6: 'add agent dependency to app systemd unit',
+    7: 'update manifest: mode=socket, recipient=<pub>',
+    8: 'encrypt private key as systemd credential',
+    9: 'enable and verify fleet-secrets-agent@<app>.service',
+    10: 'restart app container (docker compose up -d --force-recreate)',
+    11: 'health check app via HTTP /health',
+};
+async function pollHealth(url, deadlineMs = 30_000) {
+    const deadline = Date.now() + deadlineMs;
+    while (Date.now() < deadline) {
+        if (execSafe('curl', ['-sf', '--max-time', '5', url]).ok)
+            return true;
+        await new Promise(r => setTimeout(r, 250));
+    }
+    return false;
+}
+async function waitForSocket(socketPath, timeoutMs = 5000) {
+    const deadline = Date.now() + timeoutMs;
+    while (Date.now() < deadline) {
+        if (existsSync(socketPath))
+            return true;
+        await new Promise(r => setTimeout(r, 100));
+    }
+    return false;
+}
+function doRollback(opts) {
+    try {
+        restoreSnapshot(opts.snapInput, opts.snap);
+    }
+    catch { /* best-effort */ }
+    const bakPath = join(VAULT_DIR, `${opts.app}.env.age.v1.bak`);
+    if (existsSync(bakPath)) {
+        try {
+            unlinkSync(bakPath);
+        }
+        catch { /* best-effort */ }
+    }
+    if (opts.credentialWritten) {
+        try {
+            removeCredential(opts.app);
+        }
+        catch { /* best-effort */ }
+    }
+    if (opts.agentEnabled) {
+        try {
+            execSafe('systemctl', ['disable', '--now', `fleet-secrets-agent@${opts.app}.service`]);
+        }
+        catch { /* best-effort */ }
+    }
+    try {
+        execSafe('systemctl', ['daemon-reload']);
+    }
+    catch { /* best-effort */ }
+    if (!opts.noRestartApp && opts.failedStep >= 10) {
+        try {
+            execSafe('docker', ['compose', 'up', '-d', '--force-recreate'], { cwd: opts.composePath });
+        }
+        catch { /* best-effort */ }
+    }
+}
+export async function migrateAppToV2(opts) {
+    const { app, noRestartApp = false, dryRun = false } = opts;
+    const registry = load();
+    const appEntry = findApp(registry, app);
+    if (!appEntry) {
+        throw new SecretsError(`app '${app}' not found in fleet registry`);
+    }
+    const manifest = loadManifest();
+    if (manifest.apps[app]?.mode === 'socket') {
+        return {
+            app,
+            snapshotDir: null,
+            steps: [{ step: 1, name: 'already migrated to v2', ok: true }],
+            rolledBack: false,
+        };
+    }
+    if (dryRun) {
+        return {
+            app,
+            snapshotDir: null,
+            steps: Object.entries(STEP_NAMES).map(([n, name]) => ({ step: Number(n), name, ok: true })),
+            rolledBack: false,
+        };
+    }
+    const snapInput = {
+        app,
+        backupRoot: join(VAULT_DIR, 'backups'),
+        vaultDir: VAULT_DIR,
+        encryptedFile: `${app}.env.age`,
+        composeDir: appEntry.composePath,
+        composeFile: appEntry.composeFile ?? 'docker-compose.yml',
+        appUnitFile: `/etc/systemd/system/${app}.service`,
+    };
+    const steps = [];
+    const push = (step, ok, detail) => steps.push({ step, name: STEP_NAMES[step] ?? `step ${step}`, ok, detail });
+    let snap = null;
+    let credentialWritten = false;
+    let agentEnabled = false;
+    const rb = (failedStep, err) => {
+        push(failedStep, false, err instanceof Error ? err.message : String(err));
+        if (snap) {
+            doRollback({
+                snapInput, snap, app, credentialWritten, agentEnabled,
+                noRestartApp, failedStep, composePath: appEntry.composePath,
+            });
+        }
+    };
+    // step 1
+    try {
+        snap = snapshotApp(snapInput);
+        push(1, true, snap.dir);
+    }
+    catch (err) {
+        push(1, false, err instanceof Error ? err.message : String(err));
+        return { app, snapshotDir: null, steps, rolledBack: false };
+    }
+    // step 2
+    let keypair;
+    try {
+        keypair = generateKeypair();
+        push(2, true);
+    }
+    catch (err) {
+        rb(2, err);
+        return { app, snapshotDir: snap.dir, steps, rolledBack: true };
+    }
+    // step 3
+    try {
+        const oldCiphertext = readFileSync(join(VAULT_DIR, `${app}.env.age`), 'utf-8');
+        const newCiphertext = reencryptForRecipient({
+            ciphertext: oldCiphertext,
+            oldKeyPath: '/etc/fleet/age.key',
+            newRecipient: keypair.publicKey,
+        });
+        renameSync(join(VAULT_DIR, `${app}.env.age`), join(VAULT_DIR, `${app}.env.age.v1.bak`));
+        writeFileSync(join(VAULT_DIR, `${app}.env.age`), newCiphertext);
+        push(3, true);
+    }
+    catch (err) {
+        rb(3, err);
+        return { app, snapshotDir: snap.dir, steps, rolledBack: true };
+    }
+    // step 4
+    try {
+        const unitContent = generateAgentUnit(resolveVaultDir());
+        const existing = existsSync(AGENT_UNIT_PATH) ? readFileSync(AGENT_UNIT_PATH, 'utf-8') : null;
+        if (existing !== unitContent) {
+            writeFileSync(AGENT_UNIT_PATH, unitContent, { mode: 0o644 });
+        }
+        push(4, true);
+    }
+    catch (err) {
+        rb(4, err);
+        return { app, snapshotDir: snap.dir, steps, rolledBack: true };
+    }
+    // step 5
+    try {
+        const composePath = join(appEntry.composePath, appEntry.composeFile ?? 'docker-compose.yml');
+        writeFileSync(composePath, migrateComposeToV2(readFileSync(composePath, 'utf-8'), app, appEntry.serviceName));
+        push(5, true);
+    }
+    catch (err) {
+        rb(5, err);
+        return { app, snapshotDir: snap.dir, steps, rolledBack: true };
+    }
+    // step 6
+    try {
+        const unitPath = `/etc/systemd/system/${app}.service`;
+        writeFileSync(unitPath, addAgentDependency(readFileSync(unitPath, 'utf-8'), app));
+        push(6, true);
+    }
+    catch (err) {
+        rb(6, err);
+        return { app, snapshotDir: snap.dir, steps, rolledBack: true };
+    }
+    // step 7
+    try {
+        const mf = loadManifest();
+        mf.apps[app] = { ...mf.apps[app], mode: 'socket', recipient: keypair.publicKey };
+        saveManifest(mf);
+        push(7, true);
+    }
+    catch (err) {
+        rb(7, err);
+        return { app, snapshotDir: snap.dir, steps, rolledBack: true };
+    }
+    // step 8
+    try {
+        encryptCredential({ name: `${app}-age-key`, plaintext: keypair.privateKey, outputPath: credentialPathFor(app) });
+        credentialWritten = true;
+        push(8, true);
+    }
+    catch (err) {
+        rb(8, err);
+        return { app, snapshotDir: snap.dir, steps, rolledBack: true };
+    }
+    // step 9
+    try {
+        const reload = execSafe('systemctl', ['daemon-reload']);
+        if (!reload.ok)
+            throw new SecretsError(`systemctl daemon-reload failed: ${reload.stderr}`);
+        const enable = execSafe('systemctl', ['enable', '--now', `fleet-secrets-agent@${app}.service`]);
+        if (!enable.ok)
+            throw new SecretsError(`systemctl enable failed: ${enable.stderr}`);
+        agentEnabled = true;
+        const active = execSafe('systemctl', ['is-active', `fleet-secrets-agent@${app}.service`]);
+        if (active.stdout.trim() !== 'active') {
+            throw new SecretsError(`agent not active: ${active.stdout.trim()}`);
+        }
+        if (!await waitForSocket(`/run/fleet-secrets/${app}.sock`)) {
+            throw new SecretsError(`agent socket did not appear within 5s: /run/fleet-secrets/${app}.sock`);
+        }
+        push(9, true);
+    }
+    catch (err) {
+        rb(9, err);
+        return { app, snapshotDir: snap.dir, steps, rolledBack: true };
+    }
+    // step 10
+    if (noRestartApp) {
+        push(10, true);
+    }
+    else {
+        try {
+            execSafe('docker', ['compose', 'up', '-d', '--force-recreate'], { cwd: appEntry.composePath });
+            push(10, true);
+        }
+        catch (err) {
+            rb(10, err);
+            return { app, snapshotDir: snap.dir, steps, rolledBack: true };
+        }
+    }
+    // step 11
+    if (noRestartApp) {
+        push(11, true);
+    }
+    else {
+        try {
+            const port = appEntry.port;
+            const url = port ? `http://localhost:${port}/health` : 'http://localhost/health';
+            if (!await pollHealth(url))
+                throw new SecretsError(`health check timed out after 30s for ${url}`);
+            push(11, true);
+        }
+        catch (err) {
+            rb(11, err);
+            return { app, snapshotDir: snap.dir, steps, rolledBack: true };
+        }
+    }
+    return { app, snapshotDir: snap.dir, steps, rolledBack: false };
+}
+const REVERT_STEP_NAMES = {
+    1: 'disable fleet-secrets-agent@<app>.service (best-effort)',
+    2: 'remove systemd credential for app (best-effort)',
+    3: 'remove .v1.bak file if present (best-effort)',
+    4: 'restore snapshot (vault blob, manifest, compose, unit)',
+    5: 'systemctl daemon-reload',
+    6: 'restart app container (docker compose up -d --force-recreate)',
+    7: 'validate v1 unseal-based secrets',
+};
+export async function revertAppFromV2(opts) {
+    const { app, snapshotTimestamp } = opts;
+    const registry = load();
+    const appEntry = findApp(registry, app);
+    if (!appEntry) {
+        throw new SecretsError(`app '${app}' not found in fleet registry`);
+    }
+    const manifest = loadManifest();
+    if (manifest.apps[app]?.mode !== 'socket') {
+        throw new SecretsError(`app '${app}' is not in v2 (socket) mode — nothing to revert`);
+    }
+    const snapshots = listSnapshots(join(VAULT_DIR, 'backups'), app);
+    if (snapshots.length === 0) {
+        throw new SecretsError(`no snapshots found for app '${app}' — cannot revert`);
+    }
+    let snap;
+    if (snapshotTimestamp !== undefined) {
+        const found = snapshots.find(s => s.timestamp === snapshotTimestamp);
+        if (!found) {
+            throw new SecretsError(`no snapshot with timestamp '${snapshotTimestamp}' found for app '${app}'`);
+        }
+        snap = found;
+    }
+    else {
+        snap = snapshots[0];
+    }
+    const snapInput = {
+        app,
+        backupRoot: join(VAULT_DIR, 'backups'),
+        vaultDir: VAULT_DIR,
+        encryptedFile: `${app}.env.age`,
+        composeDir: appEntry.composePath,
+        composeFile: appEntry.composeFile ?? 'docker-compose.yml',
+        appUnitFile: `/etc/systemd/system/${app}.service`,
+    };
+    const steps = [];
+    const push = (step, ok, detail) => steps.push({ step, name: REVERT_STEP_NAMES[step] ?? `step ${step}`, ok, detail });
+    // step 1 — best-effort: disable agent unit
+    const disableResult = execSafe('systemctl', ['disable', '--now', `fleet-secrets-agent@${app}.service`]);
+    if (!disableResult.ok) {
+        push(1, false, `disable failed (best-effort): ${disableResult.stderr}`);
+    }
+    else {
+        push(1, true, 'agent unit disabled');
+    }
+    // step 2 — best-effort: remove credential
+    try {
+        removeCredential(app);
+        push(2, true, 'credential removed');
+    }
+    catch (err) {
+        push(2, false, `removeCredential failed (best-effort): ${err.message}`);
+    }
+    // step 3 — best-effort: remove v1 backup file
+    const bakPath = join(VAULT_DIR, `${app}.env.age.v1.bak`);
+    try {
+        if (existsSync(bakPath)) {
+            unlinkSync(bakPath);
+        }
+        push(3, true);
+    }
+    catch (err) {
+        push(3, false, `.v1.bak removal failed (best-effort): ${err.message}`);
+    }
+    // step 4 — restore snapshot (mandatory)
+    try {
+        restoreSnapshot(snapInput, snap);
+        push(4, true);
+    }
+    catch (err) {
+        push(4, false, err instanceof Error ? err.message : String(err));
+        throw err;
+    }
+    // step 5 — daemon-reload (mandatory)
+    try {
+        const reload = execSafe('systemctl', ['daemon-reload']);
+        if (!reload.ok)
+            throw new SecretsError(`systemctl daemon-reload failed: ${reload.stderr}`);
+        push(5, true);
+    }
+    catch (err) {
+        push(5, false, err instanceof Error ? err.message : String(err));
+        throw err;
+    }
+    // step 6 — restart app (mandatory)
+    try {
+        execSafe('docker', ['compose', 'up', '-d', '--force-recreate'], { cwd: appEntry.composePath });
+        push(6, true);
+    }
+    catch (err) {
+        push(6, false, err instanceof Error ? err.message : String(err));
+        throw err;
+    }
+    // step 7 — validate v1 secrets (mandatory)
+    try {
+        const validation = validateApp(app);
+        if (!validation.ok) {
+            throw new SecretsError(`v1 secrets validation failed — missing keys: ${validation.missing.join(', ')}`);
+        }
+        push(7, true);
+    }
+    catch (err) {
+        push(7, false, err instanceof Error ? err.message : String(err));
+        throw err;
+    }
+    const mandatoryStepNums = new Set([4, 5, 6, 7]);
+    const ok = steps.filter(s => mandatoryStepNums.has(s.step)).every(s => s.ok);
+    return { app, snapshotUsed: snap.timestamp, steps, ok };
+}

package/dist/core/secrets-v2-ops.d.ts

@@ -0,0 +1,36 @@
+export interface V2AppStatus {
+    name: string;
+    mode: 'unseal' | 'socket';
+    agentActive: boolean;
+    socketOk: boolean;
+    lastSealedAt: string;
+    recipient?: string;
+    keyCount: number;
+}
+export interface V2StatusReport {
+    apps: V2AppStatus[];
+    v1Count: number;
+    v2Count: number;
+}
+export interface V2DriftCheck {
+    name: string;
+    ok: boolean;
+    detail?: string;
+}
+export interface V2DriftResult {
+    app: string;
+    ok: boolean;
+    checks: V2DriftCheck[];
+}
+/**
+ * Verify the deployed v2 state of an app matches what's recorded in the manifest.
+ * Each check returns ok/detail; the overall ok is true only if all checks pass.
+ *
+ * @param app The app name to check.
+ * @param socketPathOverride Test-only injection point. In production, the socket
+ *   path is derived from the app name (`/run/fleet-secrets/<app>.sock`). Tests
+ *   pass a temp-dir path to avoid mocking node:net. Do not set this in
+ *   production code.
+ */
+export declare function getV2Status(): V2StatusReport;
+export declare function detectV2Drift(app: string, socketPathOverride?: string): Promise<V2DriftResult>;