@matthesketh/fleet 1.8.0 → 1.11.0

package/dist/commands/secrets.js

@@ -19,6 +19,10 @@ import { checkHealth } from '../core/health.js';
 import { listSnapshots, restoreSnapshot, snapshotApp } from '../core/secrets-snapshots.js';
 import { auditLog } from '../core/secrets-audit.js';
 import { summariseSecrets, formatSecretsMotd, generateSecretsMotdScript } from '../core/secrets-motd.js';
+import { migrateAppToV2, revertAppFromV2 } from '../core/secrets-v2-migrate.js';
+import { cleanupV2Backups } from '../core/secrets-v2-cleanup.js';
+import { getV2Status } from '../core/secrets-v2-ops.js';
+import { installV2 } from '../core/secrets-v2-install.js';
 function getDbSecretsDir() {
     const reg = load();
     return join(reg.infrastructure.databases.composePath, 'secrets');
@@ -46,8 +50,13 @@ export async function secretsCommand(args) {
         case 'snapshots': return secretsSnapshots(rest);
         case 'motd-init': return secretsMotdInit();
         case 'seal-runtime': return secretsSeal(rest);
+        case 'migrate-v2': return secretsMigrateV2(rest);
+        case 'revert-v2': return secretsRevertV2(rest);
+        case 'cleanup-v2': return secretsCleanupV2(rest);
+        case 'status-v2': return secretsStatusV2(rest);
+        case 'install-v2': return secretsInstallV2(rest);
         default:
-            error('Usage: fleet secrets <init|list|set|get|import|export|seal|unseal|rotate|rotate-key|ages|rollback|snapshots|validate|status|drift|restore>');
+            error('Usage: fleet secrets <init|list|set|get|import|export|seal|unseal|rotate|rotate-key|ages|rollback|snapshots|validate|status|drift|restore|migrate-v2|revert-v2|cleanup-v2|status-v2|install-v2>');
             process.exit(1);
     }
 }
@@ -129,7 +138,7 @@ async function secretsSet(args) {
         error('Empty value — aborting');
         process.exit(1);
     }
-    setSecret(app, key, value, { allowWeak });
+    await setSecret(app, key, value, { allowWeak });
     success(`Set ${key} for ${app}`);
 }
 function secretsGet(args) {
@@ -145,7 +154,7 @@ function secretsGet(args) {
     }
     process.stdout.write(val + '\n');
 }
-function secretsImport(args) {
+async function secretsImport(args) {
     const app = args.find(a => !a.startsWith('-'));
     const pathArg = args[1] && !args[1].startsWith('-') ? args[1] : null;
     if (!app) {
@@ -154,7 +163,7 @@ function secretsImport(args) {
     }
     if (app === 'docker-databases') {
         const dir = pathArg || getDbSecretsDir();
-        const count = importDbSecrets(app, dir);
+        const count = await importDbSecrets(app, dir);
         success(`Imported ${count} secret files from ${dir}`);
         return;
     }
@@ -170,7 +179,7 @@ function secretsImport(args) {
     else {
         throw new SecretsError(`App not in registry and no path given: ${app}`);
     }
-    const count = importEnvFile(app, envPath);
+    const count = await importEnvFile(app, envPath);
     success(`Imported ${count} keys from ${envPath}`);
 }
 function secretsExport(args) {
@@ -187,9 +196,9 @@ function secretsUnseal() {
     const count = Object.keys(manifest.apps).length;
     success(`Unsealed ${count} apps to /run/fleet-secrets/`);
 }
-function secretsSeal(args) {
+async function secretsSeal(args) {
     const app = args.find(a => !a.startsWith('-')) || undefined;
-    const sealed = sealFromRuntime(app);
+    const sealed = await sealFromRuntime(app);
     for (const a of sealed) {
         success(`Sealed ${a}`);
     }
@@ -200,7 +209,7 @@ async function secretsRotateKey(args) {
         info('Cancelled');
         return;
     }
-    const result = rotateKey();
+    const result = await rotateKey();
     success(`Key rotated`);
     info(`Old: ${result.oldPubkey}`);
     info(`New: ${result.newPubkey}`);
@@ -294,7 +303,7 @@ async function rotateOneInteractive(app, secret, opts) {
         info('Cancelled');
         return { acted: false, succeeded: false };
     }
-    const result = performRotation(app, secret.name, newValue, {
+    const result = await performRotation(app, secret.name, newValue, {
         dryRun: opts.dryRun,
         dataMigrated: opts.dataMigrated,
     });
@@ -699,3 +708,142 @@ function secretsRestore(args) {
     success(`Restored vault backup for ${app}`);
     info('Run "fleet secrets unseal" to apply to runtime');
 }
+async function secretsMigrateV2(args) {
+    const app = args[0];
+    if (!app || app.startsWith('-')) {
+        error('Usage: fleet secrets migrate-v2 <app> [--no-restart-app] [--dry-run]');
+        process.exit(1);
+    }
+    const noRestartApp = args.includes('--no-restart-app');
+    const dryRun = args.includes('--dry-run');
+    heading(`Migrating ${app} to v2 (mode=socket)`);
+    if (dryRun)
+        info('DRY RUN — no actual changes will be applied');
+    try {
+        const result = await migrateAppToV2({ app, noRestartApp, dryRun });
+        if (result.rolledBack) {
+            error(`Migration failed; rolled back from snapshot ${result.snapshotDir}`);
+            for (const step of result.steps) {
+                if (!step.ok)
+                    info(`  step ${step.step} (${step.name}): ${step.detail}`);
+            }
+            process.exit(1);
+        }
+        success(`Migrated ${app} to v2`);
+        if (result.snapshotDir)
+            info(`Snapshot: ${result.snapshotDir}`);
+        for (const step of result.steps) {
+            info(`  step ${step.step} (${step.name}): ${step.ok ? 'OK' : 'FAILED'}`);
+        }
+    }
+    catch (err) {
+        error(`Migration failed: ${err.message}`);
+        process.exit(1);
+    }
+}
+async function secretsRevertV2(args) {
+    const app = args[0];
+    if (!app || app.startsWith('-')) {
+        error('Usage: fleet secrets revert-v2 <app> [--snapshot <timestamp>]');
+        process.exit(1);
+    }
+    const snapIdx = args.indexOf('--snapshot');
+    const snapshotTimestamp = snapIdx >= 0 ? args[snapIdx + 1] : undefined;
+    heading(`Reverting ${app} from v2`);
+    try {
+        const result = await revertAppFromV2({ app, snapshotTimestamp });
+        if (result.ok) {
+            success(`Reverted ${app} to v1; restored from ${result.snapshotUsed}`);
+        }
+        else {
+            error(`Revert reported issues — see steps below`);
+        }
+        for (const step of result.steps) {
+            const status = step.ok ? 'OK' : 'FAILED';
+            info(`  step ${step.step} (${step.name}): ${status}${step.detail ? ' — ' + step.detail : ''}`);
+        }
+    }
+    catch (err) {
+        error(`Revert failed: ${err.message}`);
+        process.exit(1);
+    }
+}
+async function secretsCleanupV2(args) {
+    const app = args[0];
+    if (!app || app.startsWith('-')) {
+        error('Usage: fleet secrets cleanup-v2 <app> [--retention-days N] [--dry-run]');
+        process.exit(1);
+    }
+    const retIdx = args.indexOf('--retention-days');
+    const retentionDays = retIdx >= 0 ? parseInt(args[retIdx + 1], 10) : 30;
+    const dryRun = args.includes('--dry-run');
+    if (Number.isNaN(retentionDays) || retentionDays < 0) {
+        error(`--retention-days must be a non-negative integer`);
+        process.exit(1);
+    }
+    heading(`Cleaning up v2 backups for ${app} (retention=${retentionDays}d)`);
+    if (dryRun)
+        info('DRY RUN — no actual deletions');
+    try {
+        const result = await cleanupV2Backups({ app, retentionDays, dryRun });
+        if (result.removedBak)
+            info(`v1 backup blob ${dryRun ? 'would be removed' : 'removed'}`);
+        info(`Snapshots removed: ${result.removedSnapshots.length}`);
+        info(`Snapshots kept:    ${result.keptSnapshots.length}`);
+        for (const ts of result.removedSnapshots)
+            info(`  - ${ts}`);
+        success('Cleanup complete');
+    }
+    catch (err) {
+        error(`Cleanup failed: ${err.message}`);
+        process.exit(1);
+    }
+}
+async function secretsInstallV2(args) {
+    const dryRun = args.includes('--dry-run');
+    heading(`Installing fleet-secrets-agent v2 host components`);
+    if (dryRun)
+        info('DRY RUN');
+    try {
+        const result = await installV2({ dryRun });
+        if (result.agentBinaryInstalled)
+            success('Agent binary installed at /usr/local/bin/fleet-agent');
+        else
+            info('Agent binary already current');
+        if (result.unitFileInstalled)
+            success('Templated unit installed at /etc/systemd/system/fleet-secrets-agent@.service');
+        else
+            info('Unit file already current');
+        if (result.daemonReloaded)
+            success('systemctl daemon-reload completed');
+        if (!result.templateParseable && !dryRun)
+            warn('Templated unit did not parse cleanly — investigate');
+        else if (!dryRun)
+            success('Templated unit verified');
+    }
+    catch (err) {
+        error(`Install failed: ${err.message}`);
+        process.exit(1);
+    }
+}
+function secretsStatusV2(_args) {
+    const report = getV2Status();
+    heading('Fleet secrets v2 status');
+    info(`v1 (unseal): ${report.v1Count} apps`);
+    info(`v2 (socket): ${report.v2Count} apps`);
+    info('');
+    if (report.apps.length === 0) {
+        info('No apps in manifest');
+        return;
+    }
+    const headers = ['App', 'Mode', 'Agent', 'Socket', 'Keys', 'Last sealed'];
+    const rows = report.apps.map(a => [
+        a.name,
+        a.mode,
+        a.mode === 'socket' ? (a.agentActive ? 'active' : 'inactive') : '—',
+        a.mode === 'socket' ? (a.socketOk ? 'ok' : 'BAD') : '—',
+        String(a.keyCount),
+        a.lastSealedAt.slice(0, 10),
+    ]);
+    table(headers, rows);
+}

package/dist/commands/start.d.ts

@@ -1 +1,4 @@
-export declare function startCommand(args: string[]): void;
+export declare const startCommand: import("../registry/types.js").CommandDef<{
+    app: string;
+    service: string;
+}>;

package/dist/commands/start.js

@@ -1,22 +1,19 @@
+import { z } from 'zod';
 import { load, findApp } from '../core/registry.js';
 import { startService } from '../core/systemd.js';
-import { AppNotFoundError } from '../core/errors.js';
-import { success, error } from '../ui/output.js';
-export function startCommand(args) {
-    const appName = args[0];
-    if (!appName) {
-        error('Usage: fleet start <app>');
-        process.exit(1);
-    }
-    const reg = load();
-    const app = findApp(reg, appName);
-    if (!app)
-        throw new AppNotFoundError(appName);
-    if (startService(app.serviceName)) {
-        success(`Started ${app.name}`);
-    }
-    else {
-        error(`Failed to start ${app.name}`);
-        process.exit(1);
-    }
-}
+import { defineCommand } from '../registry/registry.js';
+export const startCommand = defineCommand({
+    name: 'start',
+    summary: 'Start an app via systemctl',
+    args: z.object({ app: z.string() }),
+    async run(args) {
+        const app = findApp(load(), args.app);
+        if (!app) {
+            return { ok: false, summary: `app not found: ${args.app}`, data: { app: args.app, service: '' } };
+        }
+        if (!startService(app.serviceName)) {
+            return { ok: false, summary: `failed to start ${app.name}`, data: { app: app.name, service: app.serviceName } };
+        }
+        return { ok: true, summary: `started ${app.name}`, data: { app: app.name, service: app.serviceName } };
+    },
+});

package/dist/commands/status.d.ts

@@ -11,4 +11,4 @@ export interface StatusData {
     unhealthy: number;
 }
 export declare function getStatusData(): StatusData;
-export declare function statusCommand(args: string[]): void;
+export declare const statusCommand: import("../registry/types.js").CommandDef<StatusData>;

package/dist/commands/status.js

@@ -1,7 +1,8 @@
+import { z } from 'zod';
 import { load } from '../core/registry.js';
 import { getMultipleServiceStatuses, systemdAvailable } from '../core/systemd.js';
 import { listContainers } from '../core/docker.js';
-import { c, icon, heading, table, info } from '../ui/output.js';
+import { defineCommand } from '../registry/registry.js';
 export function getStatusData() {
     const reg = load();
     const containers = listContainers();
@@ -47,28 +48,22 @@ export function getStatusData() {
         unhealthy: apps.filter(a => a.health !== 'healthy').length,
     };
 }
-export function statusCommand(args) {
-    const json = args.includes('--json');
-    const data = getStatusData();
-    if (json) {
-        process.stdout.write(JSON.stringify(data, null, 2) + '\n');
-        return;
-    }
-    heading('Fleet Dashboard');
-    info(`${data.totalApps} apps | ${c.green}${data.healthy} healthy${c.reset} | ${data.unhealthy > 0 ? c.red : c.dim}${data.unhealthy} unhealthy${c.reset}`);
-    const rows = data.apps.map(app => {
-        const healthIcon = app.health === 'healthy' ? icon.ok
-            : app.health === 'frozen' ? icon.info
-                : app.health === 'degraded' ? icon.warn
-                    : icon.err;
-        const systemdColor = app.systemd === 'active' ? c.green : c.red;
-        return [
-            `${c.bold}${app.name}${c.reset}`,
-            `${systemdColor}${app.systemd}${c.reset}`,
-            app.containers,
-            `${healthIcon} ${app.health}`,
-        ];
-    });
-    table(['APP', 'SYSTEMD', 'CONTAINERS', 'HEALTH'], rows);
-    process.stdout.write('\n');
-}
+export const statusCommand = defineCommand({
+    name: 'status',
+    summary: 'Dashboard: all apps, systemd state, containers, health',
+    args: z.object({}),
+    tui: { view: 'dashboard' },
+    async run() {
+        const data = getStatusData();
+        return {
+            ok: true,
+            summary: `${data.totalApps} apps | ${data.healthy} healthy | ${data.unhealthy} unhealthy`,
+            data,
+            render: {
+                kind: 'table',
+                columns: ['APP', 'SYSTEMD', 'CONTAINERS', 'HEALTH'],
+                rows: data.apps.map(a => [a.name, a.systemd, a.containers, a.health]),
+            },
+        };
+    },
+});

package/dist/commands/stop.d.ts

@@ -1 +1,4 @@
-export declare function stopCommand(args: string[]): void;
+export declare const stopCommand: import("../registry/types.js").CommandDef<{
+    app: string;
+    service: string;
+}>;

package/dist/commands/stop.js

@@ -1,22 +1,19 @@
+import { z } from 'zod';
 import { load, findApp } from '../core/registry.js';
 import { stopService } from '../core/systemd.js';
-import { AppNotFoundError } from '../core/errors.js';
-import { success, error } from '../ui/output.js';
-export function stopCommand(args) {
-    const appName = args[0];
-    if (!appName) {
-        error('Usage: fleet stop <app>');
-        process.exit(1);
-    }
-    const reg = load();
-    const app = findApp(reg, appName);
-    if (!app)
-        throw new AppNotFoundError(appName);
-    if (stopService(app.serviceName)) {
-        success(`Stopped ${app.name}`);
-    }
-    else {
-        error(`Failed to stop ${app.name}`);
-        process.exit(1);
-    }
-}
+import { defineCommand } from '../registry/registry.js';
+export const stopCommand = defineCommand({
+    name: 'stop',
+    summary: 'Stop an app via systemctl',
+    args: z.object({ app: z.string() }),
+    async run(args) {
+        const app = findApp(load(), args.app);
+        if (!app) {
+            return { ok: false, summary: `app not found: ${args.app}`, data: { app: args.app, service: '' } };
+        }
+        if (!stopService(app.serviceName)) {
+            return { ok: false, summary: `failed to stop ${app.name}`, data: { app: app.name, service: app.serviceName } };
+        }
+        return { ok: true, summary: `stopped ${app.name}`, data: { app: app.name, service: app.serviceName } };
+    },
+});

package/dist/commands/testflight.d.ts

@@ -0,0 +1 @@
+export declare function testflightCommand(args: string[]): Promise<void>;

package/dist/commands/testflight.js

@@ -0,0 +1,193 @@
+import { resolveAscCredentials, hasAscCredentials } from '../core/testflight/credentials.js';
+import { ghVersion, resolveRepo, repoSecrets, dispatchWorkflow, latestRun, watchRun, } from '../core/testflight/workflow.js';
+import { listBuilds, expireBuild, setWhatsNew, verifyApp } from '../core/testflight/asc.js';
+import { resolveTestflightTarget, appSecretsEnv } from '../core/testflight/resolve.js';
+import { heading, success, error, info, warn, table } from '../ui/output.js';
+// the build workflow this command dispatches by default — a macos-runner
+// workflow committed to the app's repo at .github/workflows/.
+const DEFAULT_WORKFLOW = 'ios-testflight.yml';
+// the actions secrets the build workflow needs to sign and upload an .ipa.
+const REQUIRED_REPO_SECRETS = [
+    'ASC_API_KEY_ID', 'ASC_API_KEY_ISSUER_ID', 'ASC_API_KEY_B64', 'APPLE_TEAM_ID',
+];
+const sleep = (ms) => new Promise(resolve => setTimeout(resolve, ms));
+// `fleet testflight` — publish a mobile app to TestFlight by dispatching its
+// repo's macOS build workflow, and manage its builds through the App Store
+// Connect API. an iOS .ipa can only be built on macOS, so publish runs the
+// build on a github-hosted runner rather than locally.
+export async function testflightCommand(args) {
+    switch (args[0]) {
+        case 'doctor': return tfDoctor(args.slice(1));
+        case 'publish': return tfPublish(args.slice(1));
+        case 'builds': return tfBuilds(args.slice(1));
+        case 'update': return tfUpdate(args.slice(1));
+        case 'delete': return tfDelete(args.slice(1));
+        default:
+            error('Usage: fleet testflight <doctor|publish|builds|update|delete>');
+            process.exit(1);
+    }
+}
+function extractFlag(args, flag) {
+    const idx = args.indexOf(flag);
+    if (idx === -1 || idx + 1 >= args.length)
+        return undefined;
+    return args[idx + 1];
+}
+async function tfDoctor(args) {
+    heading('TestFlight — readiness');
+    const gh = ghVersion();
+    if (gh)
+        success(`GitHub CLI available: ${gh}`);
+    else
+        error('GitHub CLI (gh) not found — required to dispatch the build workflow');
+    const appName = args.find(a => !a.startsWith('-'));
+    if (!appName) {
+        info('Pass an app name to check its repo + credentials: fleet testflight doctor <app>');
+        return;
+    }
+    const { app, projectPath } = resolveTestflightTarget(appName);
+    const repo = resolveRepo(projectPath);
+    if (repo) {
+        success(`GitHub repo: ${repo}`);
+        const secrets = repoSecrets(repo);
+        if (secrets) {
+            const missing = REQUIRED_REPO_SECRETS.filter(s => !secrets.includes(s));
+            if (missing.length === 0)
+                success('Repo Actions secrets present — the build workflow can sign and upload');
+            else
+                warn(`Repo Actions secrets missing: ${missing.join(', ')} — set them with "gh secret set"`);
+        }
+        else {
+            warn('Could not list repo Actions secrets — check "gh auth status"');
+        }
+    }
+    else {
+        warn(`No GitHub repo resolved for ${app} — publish needs a gh checkout at ${projectPath}`);
+    }
+    const env = appSecretsEnv(app);
+    if (!hasAscCredentials(env)) {
+        error(`App Store Connect credentials missing for ${app}`);
+        info('Required vault secrets: ASC_API_KEY_ID, ASC_API_KEY_ISSUER_ID, ASC_API_KEY_B64');
+        process.exit(1);
+    }
+    success('App Store Connect credentials present (builds/update/delete)');
+    const ascAppId = env.ASC_APP_ID;
+    if (!ascAppId) {
+        warn('ASC_APP_ID not set — builds/update/delete need it');
+        return;
+    }
+    try {
+        const name = await verifyApp(resolveAscCredentials(env), ascAppId);
+        success(`App Store Connect reachable — app: ${name}`);
+    }
+    catch (err) {
+        error(`App Store Connect check failed: ${err.message}`);
+        process.exit(1);
+    }
+}
+async function tfPublish(args) {
+    const appName = args.find(a => !a.startsWith('-'));
+    if (!appName) {
+        error('Usage: fleet testflight publish <app> [--workflow <file>] [--ref <branch>] [--watch]');
+        process.exit(1);
+    }
+    const workflow = extractFlag(args, '--workflow') ?? DEFAULT_WORKFLOW;
+    const ref = extractFlag(args, '--ref');
+    const watch = args.includes('--watch');
+    const { app, projectPath } = resolveTestflightTarget(appName);
+    heading(`TestFlight publish: ${app}`);
+    if (!ghVersion()) {
+        error('GitHub CLI (gh) not found — required to dispatch the build workflow');
+        process.exit(1);
+    }
+    const repo = resolveRepo(projectPath);
+    if (!repo) {
+        error(`Could not resolve a GitHub repo for ${app} — is ${projectPath} a gh checkout?`);
+        process.exit(1);
+    }
+    // remember the newest run so the one this dispatch queues can be told
+    // apart from it — `gh workflow run` returns no run id of its own.
+    const before = latestRun(repo, workflow)?.databaseId ?? 0;
+    info(`Dispatching ${workflow} on ${repo}${ref ? ` (${ref})` : ''}...`);
+    const dispatch = dispatchWorkflow(repo, workflow, ref);
+    if (!dispatch.ok) {
+        error(`Workflow dispatch failed: ${dispatch.message}`);
+        process.exit(1);
+    }
+    success('Workflow dispatched — the iOS build runs on a macOS runner (~15-30 min)');
+    // the queued run is not addressable straight away; poll briefly for it.
+    let run = latestRun(repo, workflow);
+    for (let i = 0; i < 10 && (!run || run.databaseId === before); i++) {
+        await sleep(3000);
+        run = latestRun(repo, workflow);
+    }
+    if (!run || run.databaseId === before) {
+        info(`Track it at https://github.com/${repo}/actions/workflows/${workflow}`);
+        return;
+    }
+    info(`Run: ${run.url}`);
+    if (watch) {
+        const code = watchRun(repo, run.databaseId);
+        if (code !== 0) {
+            error('The build workflow failed — see the run log above');
+            process.exit(1);
+        }
+        success(`${app} built and uploaded to TestFlight`);
+    }
+}
+async function tfBuilds(args) {
+    const appName = args.find(a => !a.startsWith('-'));
+    const json = args.includes('--json');
+    if (!appName) {
+        error('Usage: fleet testflight builds <app> [--app-id <id>] [--json]');
+        process.exit(1);
+    }
+    const { app } = resolveTestflightTarget(appName);
+    const env = appSecretsEnv(app);
+    const ascAppId = extractFlag(args, '--app-id') ?? env.ASC_APP_ID;
+    if (!ascAppId) {
+        error('App Store Connect app id required — set ASC_APP_ID or pass --app-id');
+        process.exit(1);
+    }
+    const builds = await listBuilds(resolveAscCredentials(env), ascAppId);
+    if (json) {
+        process.stdout.write(JSON.stringify(builds, null, 2) + '\n');
+        return;
+    }
+    heading(`TestFlight builds: ${app}`);
+    if (builds.length === 0) {
+        info('No builds found.');
+        return;
+    }
+    table(['BUILD', 'VERSION', 'STATE', 'EXPIRED', 'UPLOADED'], builds.map(b => [
+        b.version,
+        b.shortVersion,
+        b.processingState,
+        b.expired ? 'yes' : 'no',
+        b.uploadedDate.slice(0, 10),
+    ]));
+    process.stdout.write('\n');
+}
+async function tfUpdate(args) {
+    const appName = args.find(a => !a.startsWith('-'));
+    const buildId = extractFlag(args, '--build');
+    const whatsNew = extractFlag(args, '--whats-new');
+    if (!appName || !buildId || !whatsNew) {
+        error('Usage: fleet testflight update <app> --build <build-id> --whats-new "..."');
+        process.exit(1);
+    }
+    const { app } = resolveTestflightTarget(appName);
+    await setWhatsNew(resolveAscCredentials(appSecretsEnv(app)), buildId, whatsNew);
+    success(`Updated the "What to Test" notes for build ${buildId}`);
+}
+async function tfDelete(args) {
+    const appName = args.find(a => !a.startsWith('-'));
+    const buildId = extractFlag(args, '--build');
+    if (!appName || !buildId) {
+        error('Usage: fleet testflight delete <app> --build <build-id>');
+        process.exit(1);
+    }
+    const { app } = resolveTestflightTarget(appName);
+    await expireBuild(resolveAscCredentials(appSecretsEnv(app)), buildId);
+    success(`Expired build ${buildId} — it is no longer installable from TestFlight`);
+}

package/dist/commands/update.d.ts

@@ -0,0 +1,16 @@
+export interface UpdateData {
+    channel: 'stable' | 'prerelease';
+    remoteBranch: string;
+    localBranch: string;
+    available: boolean;
+    behind: number;
+    latestSubject: string;
+    /** populated only when an apply actually ran. */
+    pulled?: number;
+    buildOk?: boolean;
+    output?: string;
+    error?: string;
+}
+/** CLI surface for self-update. equivalent to the TUI banner + U key, but
+ *  driveable from a dumb terminal, a cron job, or a Claude session. */
+export declare const updateCommand: import("../registry/types.js").CommandDef<UpdateData>;