@matthesketh/fleet 1.8.1 → 1.11.0

package/dist/core/secrets.d.ts

@@ -1,6 +1,7 @@
 export declare const VAULT_DIR: string;
 export declare const KEY_PATH = "/etc/fleet/age.key";
 export declare const RUNTIME_DIR = "/run/fleet-secrets";
+export declare const MANIFEST_PATH: string;
 export interface SecretMetadata {
     lastRotated: string;
     provider?: string;
@@ -17,8 +18,10 @@ export interface ManifestEntry {
     /** Per-secret metadata, keyed by secret name. Backwards-compatible: missing means
      * lastRotated falls back to lastSealedAt and provider is auto-classified at read time. */
     secrets?: Record<string, SecretMetadata>;
-    /** Per-app age recipient public key, used by harden --per-app to limit blast radius. */
+    /** per-app age recipient public key. required when mode === 'socket'. */
     recipient?: string;
+    /** delivery mode. defaults to 'unseal' (v1 tmpfs path) when undefined for backward compat. */
+    mode?: 'unseal' | 'socket';
 }
 export interface Manifest {
     version: number;
@@ -31,9 +34,41 @@ export declare function getPublicKey(): string;
 export declare function initVault(): string;
 export declare function loadManifest(): Manifest;
 export declare function saveManifest(manifest: Manifest): void;
-export declare function backupVaultFile(app: string): string | null;
-export declare function restoreVaultFile(app: string): boolean;
-export declare function removeBackup(app: string): void;
+/**
+ * Run an arbitrary transaction under the manifest's inter-process lock.
+ * The callback receives no manifest — it's responsible for any load / save
+ * it needs (the seal flows do their own validate → backup → seal → cleanup
+ * dance and don't fit a simple load/mutate/save shape).
+ *
+ * Important: NOT reentrant. Wrap only the outermost RMW boundary; inner
+ * helpers should call plain `loadManifest` / `saveManifest`.
+ */
+export declare function lockManifest<T>(fn: () => Promise<T> | T): Promise<T>;
+/**
+ * Run a simple load → mutate → save transaction against the secrets
+ * manifest under an inter-process lock. Used by callers that need a
+ * straightforward RMW with no extra side-effects.
+ *
+ * The mutator may return a different Manifest object or mutate the input
+ * and return it. The returned value is persisted on a successful run; if
+ * the mutator throws, no save happens and the lock is released.
+ *
+ * Important: NOT reentrant. Wrap only the outermost RMW boundary; inner
+ * helpers should call plain `loadManifest` / `saveManifest`.
+ */
+export declare function withManifest(fn: (m: Manifest) => Manifest | Promise<Manifest>): Promise<void>;
+/**
+ * Create a per-op backup of an app's encrypted vault file.
+ *
+ * Each call produces a unique `.bak-<tag>` path so concurrent operations do
+ * not silently overwrite each other's recovery point. If you don't supply a
+ * tag, one is generated from PID + timestamp + an in-process monotonic
+ * counter. Callers MUST keep the returned path and pass it to
+ * `restoreVaultFile` / `removeBackup`.
+ */
+export declare function backupVaultFile(app: string, tag?: string): string | null;
+export declare function restoreVaultFile(app: string, bakPath?: string): boolean;
+export declare function removeBackup(app: string, bakPath?: string): void;
 export declare function ageEncrypt(plaintext: string): string;
 export declare function ageDecrypt(ciphertext: string | Buffer): string;
 export declare function ageDecryptFile(filePath: string): string;

package/dist/core/secrets.js

@@ -1,14 +1,20 @@
-import { existsSync, readFileSync, writeFileSync, mkdirSync, readdirSync, chmodSync, rmSync, copyFileSync } from 'node:fs';
+import { existsSync, readFileSync, writeFileSync, mkdirSync, readdirSync, chmodSync, statSync, rmSync, copyFileSync } from 'node:fs';
 import { dirname, join } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { SecretsError, VaultNotInitializedError } from './errors.js';
 import { execSafe } from './exec.js';
 import { assertAppName, assertFilePath } from './validate.js';
+import { withFileLock } from './file-lock.js';
 const __dirname = dirname(fileURLToPath(import.meta.url));
-export const VAULT_DIR = join(__dirname, '..', '..', 'vault');
+// vault dir resolves from FLEET_VAULT_DIR if set; otherwise falls back to
+// the repo-local vault dir for dev. captures at module load — tests that
+// want to override need to set the env var before importing. matches the
+// pattern used in secrets-v2-cleanup.ts.
+export const VAULT_DIR = process.env.FLEET_VAULT_DIR
+    ?? join(__dirname, '..', '..', 'vault');
 export const KEY_PATH = '/etc/fleet/age.key';
 export const RUNTIME_DIR = '/run/fleet-secrets';
-const MANIFEST_PATH = join(VAULT_DIR, 'manifest.json');
+export const MANIFEST_PATH = join(VAULT_DIR, 'manifest.json');
 const SECRET_DELIMITER = '---SECRET:';
 export function ensureAge() {
     if (!execSafe('which', ['age']).ok) {
@@ -64,7 +70,50 @@ export function loadManifest() {
 export function saveManifest(manifest) {
     writeFileSync(MANIFEST_PATH, JSON.stringify(manifest, null, 2) + '\n');
 }
-export function backupVaultFile(app) {
+/**
+ * Run an arbitrary transaction under the manifest's inter-process lock.
+ * The callback receives no manifest — it's responsible for any load / save
+ * it needs (the seal flows do their own validate → backup → seal → cleanup
+ * dance and don't fit a simple load/mutate/save shape).
+ *
+ * Important: NOT reentrant. Wrap only the outermost RMW boundary; inner
+ * helpers should call plain `loadManifest` / `saveManifest`.
+ */
+export async function lockManifest(fn) {
+    return withFileLock(MANIFEST_PATH, fn);
+}
+/**
+ * Run a simple load → mutate → save transaction against the secrets
+ * manifest under an inter-process lock. Used by callers that need a
+ * straightforward RMW with no extra side-effects.
+ *
+ * The mutator may return a different Manifest object or mutate the input
+ * and return it. The returned value is persisted on a successful run; if
+ * the mutator throws, no save happens and the lock is released.
+ *
+ * Important: NOT reentrant. Wrap only the outermost RMW boundary; inner
+ * helpers should call plain `loadManifest` / `saveManifest`.
+ */
+export async function withManifest(fn) {
+    await lockManifest(async () => {
+        const manifest = loadManifest();
+        const next = await fn(manifest);
+        saveManifest(next);
+    });
+}
+// monotonic counter so two backupVaultFile calls in the same millisecond
+// (same process, same default-tag path) still produce distinct bak filenames.
+let backupSeq = 0;
+/**
+ * Create a per-op backup of an app's encrypted vault file.
+ *
+ * Each call produces a unique `.bak-<tag>` path so concurrent operations do
+ * not silently overwrite each other's recovery point. If you don't supply a
+ * tag, one is generated from PID + timestamp + an in-process monotonic
+ * counter. Callers MUST keep the returned path and pass it to
+ * `restoreVaultFile` / `removeBackup`.
+ */
+export function backupVaultFile(app, tag) {
     const manifest = loadManifest();
     const entry = manifest.apps[app];
     if (!entry)
@@ -72,30 +121,61 @@ export function backupVaultFile(app) {
     const src = join(VAULT_DIR, entry.encryptedFile);
     if (!existsSync(src))
         return null;
-    const bak = src + '.bak';
+    const t = tag ?? `${process.pid}-${Date.now()}-${++backupSeq}`;
+    const bak = `${src}.bak-${t}`;
     copyFileSync(src, bak);
     return bak;
 }
-export function restoreVaultFile(app) {
+/**
+ * Find the newest `<encryptedFile>.bak-*` for an app, if any. Returns the full
+ * path (in VAULT_DIR) or null. Used as a best-effort fallback when no specific
+ * backup path was supplied (e.g. the simple CLI / MCP `secrets restore` flow).
+ */
+function findNewestBackup(encryptedFile) {
+    if (!existsSync(VAULT_DIR))
+        return null;
+    const prefix = `${encryptedFile}.bak-`;
+    let newest = null;
+    for (const name of readdirSync(VAULT_DIR)) {
+        if (!name.startsWith(prefix))
+            continue;
+        const full = join(VAULT_DIR, name);
+        try {
+            const m = statSync(full).mtimeMs;
+            if (!newest || m > newest.mtime)
+                newest = { path: full, mtime: m };
+        }
+        catch {
+            // ignore stat failures — file may have been removed mid-scan
+        }
+    }
+    return newest ? newest.path : null;
+}
+export function restoreVaultFile(app, bakPath) {
     const manifest = loadManifest();
     const entry = manifest.apps[app];
     if (!entry)
         return false;
     const src = join(VAULT_DIR, entry.encryptedFile);
-    const bak = src + '.bak';
-    if (!existsSync(bak))
+    const bak = bakPath ?? findNewestBackup(entry.encryptedFile);
+    if (!bak || !existsSync(bak))
         return false;
     copyFileSync(bak, src);
     rmSync(bak, { force: true });
     return true;
 }
-export function removeBackup(app) {
+export function removeBackup(app, bakPath) {
+    if (bakPath) {
+        rmSync(bakPath, { force: true });
+        return;
+    }
     const manifest = loadManifest();
     const entry = manifest.apps[app];
     if (!entry)
         return;
-    const bak = join(VAULT_DIR, entry.encryptedFile) + '.bak';
-    rmSync(bak, { force: true });
+    const bak = findNewestBackup(entry.encryptedFile);
+    if (bak)
+        rmSync(bak, { force: true });
 }
 export function ageEncrypt(plaintext) {
     const pubkey = getPublicKey();

package/dist/core/self-update.d.ts

@@ -2,24 +2,45 @@
  * Self-update check and apply for fleet itself.
  *
  * fleet is installed via `npm link`-style symlink from /usr/local/bin/fleet to
- * /home/matt/fleet/dist/index.js. Updates are produced by:
- *   1. git pull --ff-only origin develop  in /home/matt/fleet
- *   2. npm run build  (rewrites dist/)
+ * the repo's dist/index.js. Updates are produced by:
+ *   1. git fetch origin <channel>  (channel = main by default, develop on opt-in)
+ *   2. git pull --ff-only origin <channel>  in the fleet checkout
+ *   3. npm run build  (rewrites dist/)
+ *
+ * Channel selection:
+ *   - default: 'stable' → tracks origin/main (tagged releases only).
+ *   - FLEET_UPDATE_CHANNEL=prerelease → tracks origin/develop (work in flight).
+ *   - FLEET_UPDATE_BRANCH=<name> → arbitrary branch (escape hatch for forks).
+ *
+ * The check intentionally compares against the configured remote branch, not
+ * the local HEAD's tracking branch — so even if the local checkout is on
+ * `develop` the operator can opt back to the stable channel without first
+ * switching branches.
  *
  * checkForUpdate() does a non-blocking `git fetch` + compares HEAD with the
  * remote. applyUpdate() runs the pull + build. Both are pure shell wrappers
  * around execSafe — easy to mock in tests, easy to reason about under sudo.
  */
+export type UpdateChannel = 'stable' | 'prerelease';
+/** resolve the remote branch to track based on env vars. */
+export declare function resolveChannel(): {
+    channel: UpdateChannel;
+    branch: string;
+};
 export interface UpdateInfo {
-    /** True if `git rev-parse @{u}` shows commits ahead of HEAD. */
+    /** true if `git rev-parse @{u}` shows commits ahead of HEAD. */
     available: boolean;
-    /** Number of commits HEAD is behind origin. 0 if up-to-date. */
+    /** number of commits HEAD is behind the configured remote branch. */
     behind: number;
-    /** Short subject of the latest remote commit (or empty string on failure). */
+    /** short subject of the latest remote commit (or empty string on failure). */
     latestSubject: string;
-    /** Branch name in the local repo. */
+    /** local branch in the working tree. */
     branch: string;
-    /** Why the check failed, if it did. */
+    /** remote branch being tracked for updates (e.g. 'main' or 'develop'). */
+    remoteBranch: string;
+    /** stable = main (tagged releases), prerelease = develop (work in flight). */
+    channel: UpdateChannel;
+    /** why the check failed, if it did. */
     error?: string;
 }
 export interface UpdateResult {
@@ -34,8 +55,8 @@ export interface UpdateResult {
  */
 export declare function checkForUpdate(): Promise<UpdateInfo>;
 /**
- * Apply: git pull --ff-only + npm run build. Refuses to run if the working
- * tree is dirty (would clobber uncommitted changes). Returns aggregate output
- * for the toast / TUI to surface.
+ * Apply: git pull --ff-only origin <channel-branch> + npm run build. Refuses
+ * to run if the working tree is dirty (would clobber uncommitted changes).
+ * Returns aggregate output for the toast / TUI to surface.
  */
 export declare function applyUpdate(): Promise<UpdateResult>;

package/dist/core/self-update.js

@@ -2,9 +2,20 @@
  * Self-update check and apply for fleet itself.
  *
  * fleet is installed via `npm link`-style symlink from /usr/local/bin/fleet to
- * /home/matt/fleet/dist/index.js. Updates are produced by:
- *   1. git pull --ff-only origin develop  in /home/matt/fleet
- *   2. npm run build  (rewrites dist/)
+ * the repo's dist/index.js. Updates are produced by:
+ *   1. git fetch origin <channel>  (channel = main by default, develop on opt-in)
+ *   2. git pull --ff-only origin <channel>  in the fleet checkout
+ *   3. npm run build  (rewrites dist/)
+ *
+ * Channel selection:
+ *   - default: 'stable' → tracks origin/main (tagged releases only).
+ *   - FLEET_UPDATE_CHANNEL=prerelease → tracks origin/develop (work in flight).
+ *   - FLEET_UPDATE_BRANCH=<name> → arbitrary branch (escape hatch for forks).
+ *
+ * The check intentionally compares against the configured remote branch, not
+ * the local HEAD's tracking branch — so even if the local checkout is on
+ * `develop` the operator can opt back to the stable channel without first
+ * switching branches.
  *
  * checkForUpdate() does a non-blocking `git fetch` + compares HEAD with the
  * remote. applyUpdate() runs the pull + build. Both are pure shell wrappers
@@ -16,39 +27,66 @@ import { execSafe } from './exec.js';
 const __dirname = dirname(fileURLToPath(import.meta.url));
 // dist/core/self-update.js → repo root is two ../
 const FLEET_REPO = process.env.FLEET_REPO_PATH ?? `${__dirname}/../..`;
+/** resolve the remote branch to track based on env vars. */
+export function resolveChannel() {
+    // explicit branch override wins — for forks or custom workflows.
+    const explicit = process.env.FLEET_UPDATE_BRANCH;
+    if (explicit) {
+        const channel = explicit === 'develop' ? 'prerelease' : 'stable';
+        return { channel, branch: explicit };
+    }
+    if (process.env.FLEET_UPDATE_CHANNEL === 'prerelease') {
+        return { channel: 'prerelease', branch: 'develop' };
+    }
+    return { channel: 'stable', branch: 'main' };
+}
 /**
  * Non-blocking check. Does a `git fetch` (timeboxed) then compares.
  * Returns a stable UpdateInfo even on failure (just `available=false`).
  */
 export async function checkForUpdate() {
+    const { channel, branch: remoteBranch } = resolveChannel();
     const branchR = execSafe('git', ['-C', FLEET_REPO, 'rev-parse', '--abbrev-ref', 'HEAD']);
     if (!branchR.ok) {
-        return { available: false, behind: 0, latestSubject: '', branch: '?', error: branchR.stderr };
+        return {
+            available: false, behind: 0, latestSubject: '',
+            branch: '?', remoteBranch, channel,
+            error: branchR.stderr,
+        };
     }
     const branch = branchR.stdout;
     // Fetch quietly, with a short timeout so we never block the TUI launch.
-    const fetchR = execSafe('git', ['-C', FLEET_REPO, 'fetch', '--quiet', 'origin', branch], { timeout: 8_000 });
+    const fetchR = execSafe('git', ['-C', FLEET_REPO, 'fetch', '--quiet', 'origin', remoteBranch], { timeout: 8_000 });
     if (!fetchR.ok) {
-        return { available: false, behind: 0, latestSubject: '', branch, error: 'fetch failed' };
+        return {
+            available: false, behind: 0, latestSubject: '',
+            branch, remoteBranch, channel,
+            error: 'fetch failed',
+        };
     }
-    const countR = execSafe('git', ['-C', FLEET_REPO, 'rev-list', '--count', `HEAD..origin/${branch}`]);
+    const countR = execSafe('git', ['-C', FLEET_REPO, 'rev-list', '--count', `HEAD..origin/${remoteBranch}`]);
     if (!countR.ok) {
-        return { available: false, behind: 0, latestSubject: '', branch, error: countR.stderr };
+        return {
+            available: false, behind: 0, latestSubject: '',
+            branch, remoteBranch, channel,
+            error: countR.stderr,
+        };
     }
     const behind = parseInt(countR.stdout, 10) || 0;
     let latestSubject = '';
     if (behind > 0) {
-        const subR = execSafe('git', ['-C', FLEET_REPO, 'log', '-1', '--pretty=%s', `origin/${branch}`]);
+        const subR = execSafe('git', ['-C', FLEET_REPO, 'log', '-1', '--pretty=%s', `origin/${remoteBranch}`]);
         latestSubject = subR.ok ? subR.stdout : '';
     }
-    return { available: behind > 0, behind, latestSubject, branch };
+    return { available: behind > 0, behind, latestSubject, branch, remoteBranch, channel };
 }
 /**
- * Apply: git pull --ff-only + npm run build. Refuses to run if the working
- * tree is dirty (would clobber uncommitted changes). Returns aggregate output
- * for the toast / TUI to surface.
+ * Apply: git pull --ff-only origin <channel-branch> + npm run build. Refuses
+ * to run if the working tree is dirty (would clobber uncommitted changes).
+ * Returns aggregate output for the toast / TUI to surface.
  */
 export async function applyUpdate() {
+    const { branch: remoteBranch } = resolveChannel();
     const dirty = execSafe('git', ['-C', FLEET_REPO, 'status', '--porcelain']);
     if (dirty.ok && dirty.stdout.length > 0) {
         return {
@@ -57,7 +95,7 @@ export async function applyUpdate() {
         };
     }
     const pre = execSafe('git', ['-C', FLEET_REPO, 'rev-parse', 'HEAD']);
-    const pull = execSafe('git', ['-C', FLEET_REPO, 'pull', '--ff-only'], { timeout: 30_000 });
+    const pull = execSafe('git', ['-C', FLEET_REPO, 'pull', '--ff-only', 'origin', remoteBranch], { timeout: 30_000 });
     if (!pull.ok) {
         return { ok: false, pulled: 0, buildOk: false, output: pull.stderr || pull.stdout };
     }

package/dist/core/testflight/asc.d.ts

@@ -0,0 +1,12 @@
+import type { AscCredentials, TestflightBuild } from './types.js';
+export declare function ascJwt(creds: AscCredentials, now?: number): string;
+interface AscRequestOptions {
+    method?: string;
+    body?: unknown;
+}
+export declare function ascRequest(creds: AscCredentials, path: string, opts?: AscRequestOptions): Promise<unknown>;
+export declare function listBuilds(creds: AscCredentials, ascAppId: string, limit?: number): Promise<TestflightBuild[]>;
+export declare function expireBuild(creds: AscCredentials, buildId: string): Promise<void>;
+export declare function setWhatsNew(creds: AscCredentials, buildId: string, whatsNew: string, locale?: string): Promise<void>;
+export declare function verifyApp(creds: AscCredentials, ascAppId: string): Promise<string>;
+export {};

package/dist/core/testflight/asc.js

@@ -0,0 +1,101 @@
+import { createSign } from 'node:crypto';
+import { FleetError } from '../errors.js';
+const ASC_BASE = 'https://api.appstoreconnect.apple.com';
+function base64url(input) {
+    return Buffer.from(input)
+        .toString('base64')
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=+$/, '');
+}
+// sign a short-lived ES256 jwt for the app store connect api. the lifetime
+// is held well under apple's 20-minute ceiling.
+export function ascJwt(creds, now = Date.now()) {
+    const iat = Math.floor(now / 1000);
+    const header = { alg: 'ES256', kid: creds.keyId, typ: 'JWT' };
+    const payload = { iss: creds.issuerId, iat, exp: iat + 600, aud: 'appstoreconnect-v1' };
+    const signingInput = `${base64url(JSON.stringify(header))}.${base64url(JSON.stringify(payload))}`;
+    const signer = createSign('SHA256');
+    signer.update(signingInput);
+    // apple expects the raw r||s signature (ieee-p1363), not asn.1/der.
+    const signature = signer.sign({ key: creds.privateKey, dsaEncoding: 'ieee-p1363' });
+    return `${signingInput}.${base64url(signature)}`;
+}
+// perform an authenticated app store connect api request. a non-2xx response
+// is surfaced as a FleetError carrying apple's first error detail.
+export async function ascRequest(creds, path, opts = {}) {
+    const res = await fetch(`${ASC_BASE}${path}`, {
+        method: opts.method ?? 'GET',
+        headers: {
+            Authorization: `Bearer ${ascJwt(creds)}`,
+            'Content-Type': 'application/json',
+        },
+        ...(opts.body !== undefined && { body: JSON.stringify(opts.body) }),
+    });
+    if (res.status === 204)
+        return null;
+    const text = await res.text();
+    const json = text ? JSON.parse(text) : null;
+    if (!res.ok) {
+        const detail = json?.errors?.[0]?.detail;
+        throw new FleetError(`App Store Connect API ${res.status}: ${detail ?? text.slice(0, 200)}`);
+    }
+    return json;
+}
+// list builds for an app store connect app, newest upload first.
+export async function listBuilds(creds, ascAppId, limit = 20) {
+    const query = `filter[app]=${encodeURIComponent(ascAppId)}&sort=-uploadedDate` +
+        `&limit=${limit}&include=preReleaseVersion`;
+    const res = (await ascRequest(creds, `/v1/builds?${query}`));
+    const preReleaseVersions = new Map((res.included ?? [])
+        .filter(i => i.type === 'preReleaseVersions')
+        .map(i => [i.id, i.attributes?.version ?? '']));
+    return (res.data ?? []).map(b => ({
+        id: b.id,
+        version: b.attributes?.version ?? '',
+        shortVersion: preReleaseVersions.get(b.relationships?.preReleaseVersion?.data?.id ?? '') ?? '',
+        processingState: b.attributes?.processingState ?? 'UNKNOWN',
+        expired: b.attributes?.expired ?? false,
+        uploadedDate: b.attributes?.uploadedDate ?? '',
+    }));
+}
+// expire a build — the closest the api offers to "delete". an expired build
+// leaves testflight and can no longer be installed by testers.
+export async function expireBuild(creds, buildId) {
+    await ascRequest(creds, `/v1/builds/${buildId}`, {
+        method: 'PATCH',
+        body: { data: { type: 'builds', id: buildId, attributes: { expired: true } } },
+    });
+}
+// set the "what to test" notes for a build, creating the beta localisation
+// when the build has none for the requested locale yet.
+export async function setWhatsNew(creds, buildId, whatsNew, locale = 'en-GB') {
+    const existing = (await ascRequest(creds, `/v1/builds/${buildId}/betaBuildLocalizations`));
+    const match = (existing.data ?? []).find(l => l.attributes?.locale === locale) ??
+        (existing.data ?? [])[0];
+    if (match) {
+        await ascRequest(creds, `/v1/betaBuildLocalizations/${match.id}`, {
+            method: 'PATCH',
+            body: {
+                data: { type: 'betaBuildLocalizations', id: match.id, attributes: { whatsNew } },
+            },
+        });
+        return;
+    }
+    await ascRequest(creds, '/v1/betaBuildLocalizations', {
+        method: 'POST',
+        body: {
+            data: {
+                type: 'betaBuildLocalizations',
+                attributes: { locale, whatsNew },
+                relationships: { build: { data: { type: 'builds', id: buildId } } },
+            },
+        },
+    });
+}
+// fetch an app's name — a cheap call used to verify credentials and the
+// configured app id resolve.
+export async function verifyApp(creds, ascAppId) {
+    const res = (await ascRequest(creds, `/v1/apps/${ascAppId}`));
+    return res.data?.attributes?.name ?? '(unknown)';
+}

package/dist/core/testflight/credentials.d.ts

@@ -0,0 +1,3 @@
+import type { AscCredentials } from './types.js';
+export declare function resolveAscCredentials(env: NodeJS.ProcessEnv): AscCredentials;
+export declare function hasAscCredentials(env: NodeJS.ProcessEnv): boolean;

package/dist/core/testflight/credentials.js

@@ -0,0 +1,35 @@
+import { readFileSync, existsSync } from 'node:fs';
+import { FleetError } from '../errors.js';
+// resolve app store connect api credentials from an environment map. the
+// private key is supplied either inline-base64 (ASC_API_KEY_B64) or as a path
+// to a .p8 file (ASC_API_KEY_PATH) — base64 is preferred so the key lives in
+// the fleet secrets vault rather than as a loose file on disk.
+export function resolveAscCredentials(env) {
+    const keyId = env.ASC_API_KEY_ID;
+    const issuerId = env.ASC_API_KEY_ISSUER_ID;
+    if (!keyId || !issuerId) {
+        throw new FleetError('App Store Connect credentials missing — set ASC_API_KEY_ID and ASC_API_KEY_ISSUER_ID.');
+    }
+    let privateKey;
+    if (env.ASC_API_KEY_B64) {
+        privateKey = Buffer.from(env.ASC_API_KEY_B64, 'base64').toString('utf-8');
+    }
+    else if (env.ASC_API_KEY_PATH && existsSync(env.ASC_API_KEY_PATH)) {
+        privateKey = readFileSync(env.ASC_API_KEY_PATH, 'utf-8');
+    }
+    if (!privateKey || !privateKey.includes('PRIVATE KEY')) {
+        throw new FleetError('App Store Connect private key missing — set ASC_API_KEY_B64 (base64 of the .p8) ' +
+            'or ASC_API_KEY_PATH (path to the .p8 file).');
+    }
+    return { keyId, issuerId, privateKey };
+}
+// true when full app store connect credentials are present in `env`.
+export function hasAscCredentials(env) {
+    try {
+        resolveAscCredentials(env);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}

package/dist/core/testflight/eas.d.ts

@@ -0,0 +1,4 @@
+import type { EasEnv } from './types.js';
+export declare function easVersion(): string | null;
+export declare function easBuild(projectPath: string, profile: string, env: EasEnv): number;
+export declare function easSubmit(projectPath: string, profile: string, env: EasEnv): number;

package/dist/core/testflight/eas.js

@@ -0,0 +1,38 @@
+import { spawnSync } from 'node:child_process';
+import { execSafe } from '../exec.js';
+// the eas cli is invoked through npx so a global install isn't required.
+function npxArgs(rest) {
+    return ['--yes', 'eas-cli', ...rest];
+}
+// version string of the eas cli, or null when it can't be resolved.
+export function easVersion() {
+    const res = execSafe('npx', npxArgs(['--version']), { timeout: 120_000 });
+    if (!res.ok || !res.stdout)
+        return null;
+    return res.stdout.split('\n').map(l => l.trim()).filter(Boolean).pop() ?? null;
+}
+// run an eas cli subcommand in the mobile project with stdio inherited so a
+// long-running build/submit streams its progress live. returns the exit code.
+function easLive(projectPath, env, rest) {
+    const result = spawnSync('npx', npxArgs(rest), {
+        cwd: projectPath,
+        stdio: 'inherit',
+        env: { ...process.env, ...env },
+        encoding: 'utf-8',
+    });
+    return result.status ?? 1;
+}
+// build the ios app for the given eas profile.
+export function easBuild(projectPath, profile, env) {
+    return easLive(projectPath, env, [
+        'build', '--platform', 'ios', '--profile', profile, '--non-interactive',
+    ]);
+}
+// submit the latest ios build to testflight. when no app store connect record
+// exists for the bundle id yet, eas submit creates one — this is the "new
+// entry" path.
+export function easSubmit(projectPath, profile, env) {
+    return easLive(projectPath, env, [
+        'submit', '--platform', 'ios', '--profile', profile, '--non-interactive',
+    ]);
+}

package/dist/core/testflight/resolve.d.ts

@@ -0,0 +1,6 @@
+export interface TestflightTarget {
+    app: string;
+    projectPath: string;
+}
+export declare function resolveTestflightTarget(target: string): TestflightTarget;
+export declare function appSecretsEnv(app: string): NodeJS.ProcessEnv;

package/dist/core/testflight/resolve.js

@@ -0,0 +1,44 @@
+import { existsSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { load, findApp } from '../registry.js';
+import { FleetError } from '../errors.js';
+const SECRETS_BASE = '/run/fleet-secrets';
+// resolve a registered fleet app to its mobile project directory. testflight
+// targets must be registered apps — the credentials live in the app's vault.
+export function resolveTestflightTarget(target) {
+    const app = findApp(load(), target);
+    if (!app) {
+        throw new FleetError(`Unknown app "${target}" — not in the fleet registry.`);
+    }
+    const mobileDir = join(app.composePath, 'mobile');
+    return {
+        app: app.name,
+        projectPath: existsSync(mobileDir) ? mobileDir : app.composePath,
+    };
+}
+// minimal .env reader for an app's unsealed fleet secrets.
+function readEnvFile(path) {
+    if (!existsSync(path))
+        return {};
+    const vars = {};
+    for (const line of readFileSync(path, 'utf-8').split('\n')) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith('#'))
+            continue;
+        const eq = trimmed.indexOf('=');
+        if (eq < 1)
+            continue;
+        let val = trimmed.slice(eq + 1);
+        if ((val.startsWith('"') && val.endsWith('"')) ||
+            (val.startsWith("'") && val.endsWith("'"))) {
+            val = val.slice(1, -1);
+        }
+        vars[trimmed.slice(0, eq)] = val;
+    }
+    return vars;
+}
+// an app's unsealed fleet secrets layered over the current process env. the
+// vault holds the App Store Connect / Expo credentials testflight needs.
+export function appSecretsEnv(app) {
+    return { ...process.env, ...readEnvFile(join(SECRETS_BASE, app, '.env')) };
+}

package/dist/core/testflight/types.d.ts

@@ -0,0 +1,13 @@
+export interface AscCredentials {
+    keyId: string;
+    issuerId: string;
+    privateKey: string;
+}
+export interface TestflightBuild {
+    id: string;
+    version: string;
+    shortVersion: string;
+    processingState: string;
+    expired: boolean;
+    uploadedDate: string;
+}

package/dist/core/testflight/types.js

@@ -0,0 +1,3 @@
+// shapes for the testflight publishing pipeline. the asc types mirror the
+// json:api responses consumed from the app store connect api.
+export {};