@matthesketh/fleet 1.8.1 → 1.11.0

package/dist/core/secrets-v2-ops.js

@@ -0,0 +1,184 @@
+import { existsSync, statSync } from 'node:fs';
+import { createConnection } from 'node:net';
+import { credentialPathFor } from './secrets-v2-creds.js';
+import { execSafe } from './exec.js';
+import { loadManifest } from './secrets.js';
+const AGE_PUBKEY_RE = /^age1[a-z0-9]+$/;
+function checkRecipient(recipient) {
+    if (!recipient || !AGE_PUBKEY_RE.test(recipient)) {
+        return {
+            name: 'recipient_matches',
+            ok: false,
+            detail: `invalid age public key format: ${recipient ?? '(missing)'}`,
+        };
+    }
+    return {
+        name: 'recipient_matches',
+        ok: true,
+        detail: 'format only — full cryptographic check requires running agent',
+    };
+}
+function checkCredentialPresent(app) {
+    const credPath = credentialPathFor(app);
+    const present = existsSync(credPath);
+    return {
+        name: 'credential_present',
+        ok: present,
+        detail: present ? undefined : `not found: ${credPath}`,
+    };
+}
+function checkAgentActive(app) {
+    const unit = `fleet-secrets-agent@${app}.service`;
+    const result = execSafe('systemctl', ['is-active', unit]);
+    const active = result.stdout.trim() === 'active';
+    return {
+        name: 'agent_active',
+        ok: active,
+        detail: active ? undefined : `systemctl is-active: ${result.stdout.trim() || result.stderr.trim()}`,
+    };
+}
+function checkSocketPresent(socketPath) {
+    const present = existsSync(socketPath);
+    return {
+        name: 'socket_present',
+        ok: present,
+        detail: present ? undefined : `not found: ${socketPath}`,
+    };
+}
+function checkSocketPerms(socketPath) {
+    try {
+        const st = statSync(socketPath);
+        const perms = st.mode & 0o777;
+        const correct = perms === 0o660;
+        return {
+            name: 'socket_perms',
+            ok: correct,
+            detail: correct ? undefined : `expected 0o660, got 0o${perms.toString(8)}`,
+        };
+    }
+    catch (err) {
+        return {
+            name: 'socket_perms',
+            ok: false,
+            detail: `statSync failed: ${err.message}`,
+        };
+    }
+}
+function fetchFromSocket(socketPath, timeoutMs = 2000) {
+    return new Promise((resolve, reject) => {
+        const sock = createConnection(socketPath);
+        let response = '';
+        sock.setTimeout(timeoutMs, () => {
+            sock.destroy();
+            reject(new Error('socket fetch timed out'));
+        });
+        sock.on('error', (err) => reject(err));
+        sock.on('connect', () => {
+            sock.write('GET /health HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n');
+        });
+        sock.on('data', (chunk) => { response += chunk.toString(); });
+        sock.on('end', () => resolve(response));
+        sock.on('close', () => {
+            if (response)
+                resolve(response);
+        });
+    });
+}
+function parseJsonBody(raw) {
+    const sep = raw.indexOf('\r\n\r\n');
+    const body = sep === -1 ? raw : raw.slice(sep + 4);
+    return JSON.parse(body.trim());
+}
+async function checkSampleFetchKeys(app, socketPath, keyCount) {
+    try {
+        const raw = await fetchFromSocket(socketPath);
+        const data = parseJsonBody(raw);
+        if (data.app !== app) {
+            return {
+                name: 'sample_fetch_keys',
+                ok: false,
+                detail: `app mismatch: expected '${app}', got '${String(data.app)}'`,
+            };
+        }
+        const secrets = typeof data.secrets === 'number' ? data.secrets : -1;
+        if (keyCount > 0 && secrets <= 0) {
+            return {
+                name: 'sample_fetch_keys',
+                ok: false,
+                detail: `expected secrets > 0, got ${secrets}`,
+            };
+        }
+        return { name: 'sample_fetch_keys', ok: true };
+    }
+    catch (err) {
+        return {
+            name: 'sample_fetch_keys',
+            ok: false,
+            detail: err.message,
+        };
+    }
+}
+/**
+ * Verify the deployed v2 state of an app matches what's recorded in the manifest.
+ * Each check returns ok/detail; the overall ok is true only if all checks pass.
+ *
+ * @param app The app name to check.
+ * @param socketPathOverride Test-only injection point. In production, the socket
+ *   path is derived from the app name (`/run/fleet-secrets/<app>.sock`). Tests
+ *   pass a temp-dir path to avoid mocking node:net. Do not set this in
+ *   production code.
+ */
+export function getV2Status() {
+    const manifest = loadManifest();
+    const apps = [];
+    let v1Count = 0;
+    let v2Count = 0;
+    for (const [name, entry] of Object.entries(manifest.apps)) {
+        const mode = (entry.mode ?? 'unseal');
+        let agentActive = false;
+        let socketOk = false;
+        if (mode === 'socket') {
+            v2Count++;
+            const isActive = execSafe('systemctl', ['is-active', `fleet-secrets-agent@${name}.service`]);
+            agentActive = isActive.ok && isActive.stdout.trim() === 'active';
+            const socketPath = `/run/fleet-secrets/${name}.sock`;
+            if (existsSync(socketPath)) {
+                try {
+                    const perms = statSync(socketPath).mode & 0o777;
+                    socketOk = perms === 0o660;
+                }
+                catch { /* keep socketOk false */ }
+            }
+        }
+        else {
+            v1Count++;
+        }
+        apps.push({ name, mode, agentActive, socketOk, lastSealedAt: entry.lastSealedAt, recipient: entry.recipient, keyCount: entry.keyCount });
+    }
+    return { apps, v1Count, v2Count };
+}
+export async function detectV2Drift(app, socketPathOverride) {
+    const manifest = loadManifest();
+    const entry = manifest.apps[app];
+    if (!entry || entry.mode !== 'socket') {
+        return {
+            app,
+            ok: false,
+            checks: [{ name: 'mode', ok: false, detail: 'app not in v2 mode' }],
+        };
+    }
+    const socketPath = socketPathOverride ?? `/run/fleet-secrets/${app}.sock`;
+    const checks = [
+        checkRecipient(entry.recipient),
+        checkCredentialPresent(app),
+        checkAgentActive(app),
+        checkSocketPresent(socketPath),
+        checkSocketPerms(socketPath),
+        await checkSampleFetchKeys(app, socketPath, entry.keyCount),
+    ];
+    return {
+        app,
+        ok: checks.every(c => c.ok),
+        checks,
+    };
+}

package/dist/core/secrets-v2-protocol.d.ts

@@ -0,0 +1,19 @@
+export declare class ProtocolError extends Error {
+    constructor(message: string);
+}
+export interface ParsedRequest {
+    method: 'GET' | 'POST';
+    path: string;
+    body: string;
+}
+/**
+ * Parse a single HTTP/1.1 request from a Unix-socket read buffer.
+ *
+ * Callers must enforce an upper bound on `buf` size BEFORE invoking. This
+ * function will scan the full buffer for the header terminator (`\r\n\r\n`)
+ * and so does O(n) work on n bytes — feeding it arbitrarily large input is
+ * a DoS vector. The socket server should cap reads at a small multiple of
+ * MAX_BODY (e.g., 8 KiB) and call this only on bounded buffers.
+ */
+export declare function parseRequest(buf: Buffer): ParsedRequest;
+export declare function writeResponse(status: number, body: unknown): Buffer;

package/dist/core/secrets-v2-protocol.js

@@ -0,0 +1,60 @@
+export class ProtocolError extends Error {
+    constructor(message) { super(message); this.name = 'ProtocolError'; }
+}
+const MAX_BODY = 1024;
+const ALLOWED_METHODS = new Set(['GET', 'POST']);
+/**
+ * Parse a single HTTP/1.1 request from a Unix-socket read buffer.
+ *
+ * Callers must enforce an upper bound on `buf` size BEFORE invoking. This
+ * function will scan the full buffer for the header terminator (`\r\n\r\n`)
+ * and so does O(n) work on n bytes — feeding it arbitrarily large input is
+ * a DoS vector. The socket server should cap reads at a small multiple of
+ * MAX_BODY (e.g., 8 KiB) and call this only on bounded buffers.
+ */
+export function parseRequest(buf) {
+    const TERM = Buffer.from('\r\n\r\n');
+    const headerEnd = buf.indexOf(TERM);
+    if (headerEnd < 0)
+        throw new ProtocolError('incomplete request: no header terminator');
+    const bodyStart = headerEnd + TERM.length;
+    const bodyBytes = buf.length - bodyStart;
+    if (bodyBytes > MAX_BODY) {
+        throw new ProtocolError(`body too large: ${bodyBytes} > ${MAX_BODY}`);
+    }
+    const headerBlock = buf.slice(0, headerEnd).toString('utf-8');
+    const body = buf.slice(bodyStart).toString('utf-8');
+    const first = headerBlock.split('\r\n')[0] ?? '';
+    const m = first.match(/^([A-Z]+) (\S+) HTTP\/1\.1$/);
+    if (!m)
+        throw new ProtocolError(`malformed request line: ${first}`);
+    const method = m[1];
+    const path = m[2];
+    if (!ALLOWED_METHODS.has(method)) {
+        throw new ProtocolError(`method not allowed: ${method}`);
+    }
+    if (path.includes('?')) {
+        throw new ProtocolError('query string not supported');
+    }
+    return { method: method, path, body };
+}
+const STATUS = {
+    200: '200 OK',
+    400: '400 Bad Request',
+    404: '404 Not Found',
+    405: '405 Method Not Allowed',
+    413: '413 Payload Too Large',
+    429: '429 Too Many Requests',
+    500: '500 Internal Server Error',
+};
+export function writeResponse(status, body) {
+    const statusLine = STATUS[status] ?? `${status} Unknown`;
+    const json = JSON.stringify(body);
+    const buf = Buffer.from(json, 'utf-8');
+    const head = `HTTP/1.1 ${statusLine}\r\n` +
+        `Content-Type: application/json\r\n` +
+        `Content-Length: ${buf.length}\r\n` +
+        `Connection: close\r\n` +
+        `\r\n`;
+    return Buffer.concat([Buffer.from(head, 'utf-8'), buf]);
+}

package/dist/core/secrets-v2-snapshot.d.ts

@@ -0,0 +1,36 @@
+export interface SnapshotInput {
+    app: string;
+    backupRoot: string;
+    vaultDir: string;
+    encryptedFile: string;
+    composeDir: string;
+    composeFile: string;
+    appUnitFile: string;
+}
+export interface Snapshot {
+    app: string;
+    timestamp: string;
+    dir: string;
+    manifestEntry: unknown;
+}
+/**
+ * capture a timestamped backup of all four artefacts for an app:
+ *  - encrypted vault blob
+ *  - manifest entry (as manifest.json in the snapshot dir)
+ *  - compose file
+ *  - systemd unit (if it exists)
+ */
+export declare function snapshotApp(input: SnapshotInput): Snapshot;
+/**
+ * restore all four artefacts from a snapshot back to their original locations.
+ * the manifest is merged: only apps[app] is replaced, other apps are untouched.
+ * if the unit file wasn't captured (didn't exist at snapshot time), no unit is written.
+ */
+export declare function restoreSnapshot(input: SnapshotInput, snap: Snapshot): void;
+/**
+ * walk backupRoot looking for <timestamp>/<app>/ directories.
+ * returns snapshots sorted newest-first by timestamp string (lexicographic, which
+ * works correctly for the ISO-safe format with dashes instead of colons/dots).
+ * returns [] if backupRoot doesn't exist.
+ */
+export declare function listSnapshots(backupRoot: string, app: string): Snapshot[];

package/dist/core/secrets-v2-snapshot.js

@@ -0,0 +1,115 @@
+import { chmodSync, copyFileSync, existsSync, mkdirSync, readdirSync, readFileSync, statSync, writeFileSync, } from 'node:fs';
+import { basename, join } from 'node:path';
+// callers must serialise migration operations: same-millisecond invocations
+// would write to the same backup dir and silently overwrite each other.
+// migrate-v2 (Task 21) is the only caller and is invoked one app at a time.
+function makeTimestamp() {
+    return new Date().toISOString().replace(/[:.]/g, '-');
+}
+/**
+ * capture a timestamped backup of all four artefacts for an app:
+ *  - encrypted vault blob
+ *  - manifest entry (as manifest.json in the snapshot dir)
+ *  - compose file
+ *  - systemd unit (if it exists)
+ */
+export function snapshotApp(input) {
+    const { app, backupRoot, vaultDir, encryptedFile, composeDir, composeFile, appUnitFile } = input;
+    // ensure backupRoot exists at 0700 — mkdirSync only sets mode on newly
+    // created dirs; if it pre-existed with a looser mode, chmod it explicitly.
+    if (!existsSync(backupRoot)) {
+        mkdirSync(backupRoot, { recursive: true, mode: 0o700 });
+    }
+    else {
+        chmodSync(backupRoot, 0o700);
+    }
+    const timestamp = makeTimestamp();
+    const snapDir = join(backupRoot, timestamp, app);
+    mkdirSync(snapDir, { recursive: true, mode: 0o700 });
+    // 1. encrypted vault blob
+    copyFileSync(join(vaultDir, encryptedFile), join(snapDir, encryptedFile));
+    // 2. manifest entry for this app only
+    const manifestPath = join(vaultDir, 'manifest.json');
+    const manifest = JSON.parse(readFileSync(manifestPath, 'utf-8'));
+    const manifestEntry = manifest.apps[app] ?? {};
+    writeFileSync(join(snapDir, 'manifest.json'), JSON.stringify(manifestEntry, null, 2));
+    // 3. compose file
+    copyFileSync(join(composeDir, composeFile), join(snapDir, composeFile));
+    // 4. systemd unit (omitted if it doesn't exist yet)
+    if (existsSync(appUnitFile)) {
+        copyFileSync(appUnitFile, join(snapDir, basename(appUnitFile)));
+    }
+    return { app, timestamp, dir: snapDir, manifestEntry };
+}
+/**
+ * restore all four artefacts from a snapshot back to their original locations.
+ * the manifest is merged: only apps[app] is replaced, other apps are untouched.
+ * if the unit file wasn't captured (didn't exist at snapshot time), no unit is written.
+ */
+export function restoreSnapshot(input, snap) {
+    const { app, vaultDir, encryptedFile, composeDir, composeFile, appUnitFile } = input;
+    const { dir: snapDir } = snap;
+    // 1. encrypted vault blob
+    copyFileSync(join(snapDir, encryptedFile), join(vaultDir, encryptedFile));
+    // 2. manifest entry — merge back into live manifest, leaving other apps untouched
+    const snapEntryRaw = readFileSync(join(snapDir, 'manifest.json'), 'utf-8');
+    const snapEntry = JSON.parse(snapEntryRaw);
+    const manifestPath = join(vaultDir, 'manifest.json');
+    const manifest = JSON.parse(readFileSync(manifestPath, 'utf-8'));
+    manifest.apps[app] = snapEntry;
+    writeFileSync(manifestPath, JSON.stringify(manifest, null, 2) + '\n');
+    // 3. compose file
+    copyFileSync(join(snapDir, composeFile), join(composeDir, composeFile));
+    // 4. systemd unit — only write back if it was captured in the snapshot
+    const unitBasename = basename(appUnitFile);
+    const snapUnit = join(snapDir, unitBasename);
+    if (existsSync(snapUnit)) {
+        copyFileSync(snapUnit, appUnitFile);
+    }
+}
+/**
+ * walk backupRoot looking for <timestamp>/<app>/ directories.
+ * returns snapshots sorted newest-first by timestamp string (lexicographic, which
+ * works correctly for the ISO-safe format with dashes instead of colons/dots).
+ * returns [] if backupRoot doesn't exist.
+ */
+export function listSnapshots(backupRoot, app) {
+    if (!existsSync(backupRoot))
+        return [];
+    const results = [];
+    for (const entry of readdirSync(backupRoot)) {
+        const tsDir = join(backupRoot, entry);
+        try {
+            if (!statSync(tsDir).isDirectory())
+                continue;
+        }
+        catch {
+            continue;
+        }
+        const appDir = join(tsDir, app);
+        try {
+            if (!statSync(appDir).isDirectory())
+                continue;
+        }
+        catch {
+            continue;
+        }
+        let manifestEntry = null;
+        const mPath = join(appDir, 'manifest.json');
+        if (existsSync(mPath)) {
+            try {
+                manifestEntry = JSON.parse(readFileSync(mPath, 'utf-8'));
+            }
+            catch { /* leave null */ }
+        }
+        results.push({
+            app,
+            timestamp: entry,
+            dir: appDir,
+            manifestEntry,
+        });
+    }
+    // Sort newest-first — the timestamp format is lexicographically sortable
+    results.sort((a, b) => b.timestamp.localeCompare(a.timestamp));
+    return results;
+}

package/dist/core/secrets-v2.d.ts

@@ -0,0 +1,21 @@
+export declare const IDLE_TIMEOUT_MS = 30000;
+export declare function _resetRateLimit(initialTokens?: number): void;
+export declare function decryptVaultBlob(privateKeyPath: string, blobPath: string): Record<string, string>;
+export interface AgentDeps {
+    app: string;
+    getSecrets: () => Record<string, string>;
+    refresh: () => void;
+}
+export interface Server {
+    listen(path: string): Promise<void>;
+    close(): Promise<void>;
+}
+export declare function createServer(deps: AgentDeps): Server;
+export interface AgentArgs {
+    app: string;
+    vault: string;
+    socket: string;
+    credential?: string;
+}
+export declare function parseArgs(argv: string[]): AgentArgs;
+export declare function main(argv: string[]): Promise<void>;

package/dist/core/secrets-v2.js

@@ -0,0 +1,249 @@
+import { createServer as netCreateServer } from 'node:net';
+import { existsSync, unlinkSync, chmodSync } from 'node:fs';
+import { execSafe } from './exec.js';
+import { SecretsError } from './errors.js';
+import { parseRequest, writeResponse, ProtocolError } from './secrets-v2-protocol.js';
+export const IDLE_TIMEOUT_MS = 30_000;
+const TERM = Buffer.from('\r\n\r\n');
+// module-level token bucket — limits total throughput to 100 req/sec across all connections
+let _tokens = 100;
+let _lastRefill = Date.now();
+function takeToken() {
+    const now = Date.now();
+    const elapsed = (now - _lastRefill) / 1000;
+    if (elapsed > 0) {
+        _tokens = Math.min(100, _tokens + elapsed * 100);
+        _lastRefill = now;
+    }
+    if (_tokens < 1)
+        return false;
+    _tokens -= 1;
+    return true;
+}
+export function _resetRateLimit(initialTokens = 100) {
+    _tokens = initialTokens;
+    _lastRefill = Date.now();
+}
+export function decryptVaultBlob(privateKeyPath, blobPath) {
+    if (!existsSync(blobPath))
+        throw new SecretsError(`vault blob not found: ${blobPath}`);
+    if (!existsSync(privateKeyPath))
+        throw new SecretsError(`private key not found: ${privateKeyPath}`);
+    const r = execSafe('age', ['-d', '-i', privateKeyPath, blobPath]);
+    if (!r.ok)
+        throw new SecretsError(`age decrypt failed: ${r.stderr}`);
+    return parseEnvFormat(r.stdout);
+}
+/**
+ * Parse plaintext env content into a key/value map.
+ *
+ * Note: callers receive `content` after `execSafe` has applied `.trim()` to
+ * the full stdout. Leading/trailing whitespace at the start of the first
+ * line and end of the last line is consumed before parsing. Secret values
+ * with deliberate edge whitespace will be subtly altered. This is a known
+ * project-wide gotcha (also affects v1 secrets); see brain note q5YkhSmRVx9m.
+ */
+function parseEnvFormat(content) {
+    const map = {};
+    for (const rawLine of content.split('\n')) {
+        if (!rawLine.trim() || rawLine.startsWith('#'))
+            continue;
+        const i = rawLine.indexOf('=');
+        if (i > 0) {
+            map[rawLine.slice(0, i)] = rawLine.slice(i + 1);
+        }
+    }
+    return map;
+}
+const MAX_REQUEST_BYTES = 8192;
+export function createServer(deps) {
+    const server = netCreateServer((sock) => handleConnection(sock, deps));
+    let socketPath = '';
+    return {
+        listen: (path) => new Promise((resolve, reject) => {
+            socketPath = path;
+            if (existsSync(path)) {
+                try {
+                    unlinkSync(path);
+                }
+                catch { /* race; let listen fail naturally */ }
+            }
+            const onError = (err) => reject(err);
+            server.once('error', onError);
+            server.listen(path, () => {
+                server.off('error', onError);
+                // 0o660 (not 0o600) is deliberate: the systemd unit runs the agent
+                // as DynamicUser, and the consumer container bind-mounts this
+                // socket and connects as a separate uid sharing the systemd-
+                // allocated group. tightening to 0o600 would break that. if the
+                // consumer pattern ever changes, drop to 0o600.
+                try {
+                    chmodSync(path, 0o660);
+                }
+                catch (err) {
+                    process.stderr.write(`[fleet-agent] WARNING: chmod 0660 on ${path} failed: ${err.message}\n`);
+                }
+                resolve();
+            });
+        }),
+        close: () => new Promise((resolve) => {
+            server.close(() => {
+                if (socketPath && existsSync(socketPath)) {
+                    try {
+                        unlinkSync(socketPath);
+                    }
+                    catch { /* ignore */ }
+                }
+                resolve();
+            });
+        }),
+    };
+}
+function handleConnection(sock, deps) {
+    const chunks = [];
+    let totalBytes = 0;
+    let handled = false;
+    let searchedUpTo = 0;
+    sock.setTimeout(IDLE_TIMEOUT_MS, () => sock.destroy());
+    const handle = () => {
+        if (handled)
+            return;
+        handled = true;
+        if (!takeToken()) {
+            sock.end(writeResponse(429, { error: 'rate_limited' }));
+            return;
+        }
+        const buf = Buffer.concat(chunks);
+        try {
+            const req = parseRequest(buf);
+            const resp = dispatch(req, deps);
+            sock.end(resp);
+        }
+        catch (err) {
+            const isProto = err instanceof ProtocolError;
+            const status = isProto ? 400 : 500;
+            const message = isProto ? err.message : 'internal';
+            sock.end(writeResponse(status, { error: message }));
+        }
+    };
+    sock.on('data', (chunk) => {
+        chunks.push(chunk);
+        totalBytes += chunk.length;
+        if (totalBytes > MAX_REQUEST_BYTES) {
+            handled = true;
+            sock.end(writeResponse(413, { error: 'request too large' }));
+            return;
+        }
+        const buf = Buffer.concat(chunks);
+        const idx = buf.indexOf(TERM, Math.max(0, searchedUpTo - 3));
+        if (idx >= 0) {
+            handle();
+        }
+        else {
+            searchedUpTo = buf.length;
+        }
+    });
+    sock.on('end', () => { if (!handled)
+        handle(); });
+    sock.on('error', () => { });
+}
+const KNOWN_FLAGS = new Set(['--app', '--vault', '--socket', '--credential']);
+const USAGE = 'Usage: fleet-agent --app <name> --vault <dir> --socket <path> [--credential <path>]';
+export function parseArgs(argv) {
+    const parsed = {};
+    let i = 0;
+    while (i < argv.length) {
+        const flag = argv[i];
+        if (!flag.startsWith('--')) {
+            throw new SecretsError(`unexpected argument: ${flag}\n${USAGE}`);
+        }
+        if (!KNOWN_FLAGS.has(flag)) {
+            throw new SecretsError(`unknown flag: ${flag}\n${USAGE}`);
+        }
+        i++;
+        if (i >= argv.length || argv[i].startsWith('--')) {
+            throw new SecretsError(`flag ${flag} requires a value\n${USAGE}`);
+        }
+        parsed[flag.slice(2)] = argv[i];
+        i++;
+    }
+    for (const required of ['app', 'vault', 'socket']) {
+        if (!parsed[required]) {
+            throw new SecretsError(`missing required flag --${required}\n${USAGE}`);
+        }
+    }
+    return {
+        app: parsed['app'],
+        vault: parsed['vault'],
+        socket: parsed['socket'],
+        ...(parsed['credential'] !== undefined ? { credential: parsed['credential'] } : {}),
+    };
+}
+export async function main(argv) {
+    const args = parseArgs(argv);
+    const credentialPath = args.credential
+        ?? (process.env.CREDENTIALS_DIRECTORY
+            ? `${process.env.CREDENTIALS_DIRECTORY}/age-key`
+            : undefined);
+    if (!credentialPath) {
+        throw new SecretsError('no credential path: pass --credential or run under systemd with LoadCredential');
+    }
+    const vaultBlobPath = `${args.vault}/${args.app}.env.age`;
+    let secrets = decryptVaultBlob(credentialPath, vaultBlobPath);
+    const deps = {
+        app: args.app,
+        getSecrets: () => secrets,
+        refresh: () => {
+            secrets = decryptVaultBlob(credentialPath, vaultBlobPath);
+        },
+    };
+    const server = createServer(deps);
+    await server.listen(args.socket);
+    const notify = process.env.NOTIFY_SOCKET;
+    if (notify) {
+        const r = execSafe('systemd-notify', ['--ready'], {});
+        if (!r.ok) {
+            process.stderr.write(`[fleet-agent ${args.app}] systemd-notify failed: ${r.stderr}\n`);
+        }
+    }
+    return new Promise((resolve) => {
+        let shuttingDown = false;
+        const handleSignal = async (sig) => {
+            if (shuttingDown)
+                return;
+            shuttingDown = true;
+            process.stderr.write(`[fleet-agent ${args.app}] ${sig}, shutting down\n`);
+            try {
+                await server.close();
+            }
+            catch { /* ignore */ }
+            resolve();
+        };
+        process.once('SIGTERM', () => handleSignal('SIGTERM'));
+        process.once('SIGINT', () => handleSignal('SIGINT'));
+    });
+}
+function dispatch(req, deps) {
+    if (req.method === 'GET' && req.path === '/health') {
+        const m = deps.getSecrets();
+        return writeResponse(200, { app: deps.app, secrets: Object.keys(m).length });
+    }
+    if (req.method === 'POST' && req.path === '/refresh') {
+        deps.refresh();
+        return writeResponse(200, { reloaded: true });
+    }
+    if (req.method === 'GET' && req.path === '/secrets') {
+        return writeResponse(200, deps.getSecrets());
+    }
+    if (req.method === 'GET' && req.path.startsWith('/secrets/')) {
+        const key = req.path.slice('/secrets/'.length);
+        if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(key)) {
+            return writeResponse(400, { error: 'invalid_key' });
+        }
+        const m = deps.getSecrets();
+        if (key in m)
+            return writeResponse(200, { value: m[key] });
+        return writeResponse(404, { error: 'not_found' });
+    }
+    return writeResponse(404, { error: 'not_found' });
+}