@matthesketh/fleet 1.8.1 → 1.11.0

package/dist/registry/parse-args.js

@@ -0,0 +1,74 @@
+import { z } from 'zod';
+/** single-dash short flags, mapped to the long-form (schema) field they set.
+ *  short flags only ever set a boolean field true. */
+const SHORT_FLAGS = { y: 'yes' };
+/** true when a schema field (unwrapping optional/default) is a boolean. */
+function isBooleanField(schema) {
+    let s = schema;
+    while (s instanceof z.ZodOptional || s instanceof z.ZodDefault) {
+        s = s._def.innerType;
+    }
+    return s instanceof z.ZodBoolean;
+}
+export function parseArgs(schema, argv) {
+    if (argv.includes('--help') || argv.includes('-h')) {
+        return { help: true };
+    }
+    const shape = schema.shape;
+    const fieldNames = Object.keys(shape);
+    const booleanFields = new Set(fieldNames.filter(n => isBooleanField(shape[n])));
+    const values = {};
+    const positionals = [];
+    for (let i = 0; i < argv.length; i++) {
+        const token = argv[i];
+        if (token.startsWith('--')) {
+            const body = token.slice(2);
+            const eq = body.indexOf('=');
+            if (eq !== -1) {
+                // --key=value form
+                values[body.slice(0, eq)] = body.slice(eq + 1);
+                continue;
+            }
+            if (booleanFields.has(body)) {
+                values[body] = true;
+                continue;
+            }
+            const next = argv[i + 1];
+            if (next === undefined || next.startsWith('--')) {
+                return { help: false, ok: false, error: `flag --${body} requires a value` };
+            }
+            values[body] = next;
+            i++;
+        }
+        else if (/^-[A-Za-z]$/.test(token)) {
+            // single-dash short flag (e.g. -y) — resolve via the alias table
+            const long = SHORT_FLAGS[token.slice(1)];
+            if (long === undefined || !(long in shape)) {
+                return { help: false, ok: false, error: `unknown flag: ${token}` };
+            }
+            values[long] = true;
+        }
+        else {
+            positionals.push(token);
+        }
+    }
+    // reject flags that aren't in the schema — a mistyped flag must not be dropped silently
+    const unknownFlags = Object.keys(values).filter(k => !(k in shape));
+    if (unknownFlags.length > 0) {
+        return { help: false, ok: false, error: `unknown flag(s): ${unknownFlags.join(', ')}` };
+    }
+    // assign leftover positionals to non-boolean fields in declaration order
+    const positionalFields = fieldNames.filter(n => !booleanFields.has(n) && !(n in values));
+    for (let i = 0; i < positionals.length && i < positionalFields.length; i++) {
+        values[positionalFields[i]] = positionals[i];
+    }
+    const parsed = schema.safeParse(values);
+    if (!parsed.success) {
+        return {
+            help: false,
+            ok: false,
+            error: parsed.error.issues.map(iss => `${iss.path.join('.')}: ${iss.message}`).join('; '),
+        };
+    }
+    return { help: false, ok: true, values: parsed.data };
+}

package/dist/registry/registry.d.ts

@@ -0,0 +1,24 @@
+import type { z } from 'zod';
+import type { CommandContext, CommandDef, CommandResult } from './types.js';
+export declare function register(def: CommandDef): void;
+/**
+ * defines a command with full argument-type inference: the `args` schema and
+ * the `run` handler's first parameter are tied through the shape generic `S`.
+ * returns the erased `CommandDef` the registry stores.
+ */
+export declare function defineCommand<S extends z.ZodRawShape, D>(def: {
+    name: string;
+    summary: string;
+    args: z.ZodObject<S>;
+    destructive?: boolean;
+    cliOnly?: boolean;
+    tui?: 'palette' | {
+        view: string;
+    };
+    run(args: z.infer<z.ZodObject<S>>, ctx: CommandContext): Promise<CommandResult<D>>;
+}): CommandDef<D>;
+export declare function getCommand(name: string): CommandDef | undefined;
+export declare function allCommands(): CommandDef[];
+/** test-only: clears the registry between tests. prefer _resetLoader() from
+ *  registry/index.ts if you also need to reset the loadRegistry guard. */
+export declare function _resetRegistry(): void;

package/dist/registry/registry.js

@@ -0,0 +1,26 @@
+const registry = new Map();
+export function register(def) {
+    if (registry.has(def.name)) {
+        throw new Error(`duplicate command registration: ${def.name}`);
+    }
+    registry.set(def.name, def);
+}
+/**
+ * defines a command with full argument-type inference: the `args` schema and
+ * the `run` handler's first parameter are tied through the shape generic `S`.
+ * returns the erased `CommandDef` the registry stores.
+ */
+export function defineCommand(def) {
+    return def;
+}
+export function getCommand(name) {
+    return registry.get(name);
+}
+export function allCommands() {
+    return [...registry.values()].sort((a, b) => a.name.localeCompare(b.name));
+}
+/** test-only: clears the registry between tests. prefer _resetLoader() from
+ *  registry/index.ts if you also need to reset the loadRegistry guard. */
+export function _resetRegistry() {
+    registry.clear();
+}

package/dist/registry/render.d.ts

@@ -0,0 +1,3 @@
+import type { RenderModel } from './types.js';
+/** turns a RenderModel into a plain-text block for cli output. */
+export declare function renderToText(model: RenderModel): string;

package/dist/registry/render.js

@@ -0,0 +1,29 @@
+/** turns a RenderModel into a plain-text block for cli output. */
+export function renderToText(model) {
+    switch (model.kind) {
+        case 'lines':
+            return model.lines.join('\n');
+        case 'keyValue': {
+            const width = Math.max(0, ...model.pairs.map(([k]) => k.length));
+            return model.pairs.map(([k, v]) => `${k.padEnd(width + 2)}${v}`).join('\n');
+        }
+        case 'table': {
+            const all = [model.columns, ...model.rows];
+            const widths = model.columns.map((_, i) => Math.max(...all.map(row => (row[i] ?? '').length)));
+            const fmt = (row) => row
+                .slice(0, model.columns.length)
+                .map((cell, i) => (i === model.columns.length - 1 ? cell : cell.padEnd(widths[i] + 2)))
+                .join('');
+            return all.map(fmt).join('\n');
+        }
+        case 'tree':
+            return treeLines(model.root, 0).join('\n');
+    }
+}
+function treeLines(node, depth) {
+    const out = ['  '.repeat(depth) + node.label];
+    for (const child of node.children ?? []) {
+        out.push(...treeLines(child, depth + 1));
+    }
+    return out;
+}

package/dist/registry/types.d.ts

@@ -0,0 +1,50 @@
+import type { z } from 'zod';
+/** a renderable model each surface turns into text (cli) or components (tui). */
+export type RenderModel = {
+    kind: 'lines';
+    lines: string[];
+} | {
+    kind: 'keyValue';
+    pairs: Array<[string, string]>;
+} | {
+    kind: 'table';
+    columns: string[];
+    rows: string[][];
+} | {
+    kind: 'tree';
+    root: TreeNode;
+};
+export interface TreeNode {
+    label: string;
+    children?: TreeNode[];
+}
+/** the surface-agnostic result every command handler returns. */
+export interface CommandResult<D = unknown> {
+    ok: boolean;
+    summary: string;
+    data: D;
+    render?: RenderModel;
+}
+/** surface-neutral services passed to every handler. */
+export interface CommandContext {
+    confirm(prompt: string): Promise<boolean>;
+    log(event: {
+        level: 'info' | 'warn' | 'error';
+        message: string;
+    }): void;
+    env: NodeJS.ProcessEnv;
+}
+/** a command defined once; all three surfaces are derived from this. the
+ *  registry stores the erased form — `run` receives the already-parsed args
+ *  as a plain record. use `defineCommand` for inference at definition sites. */
+export interface CommandDef<D = unknown> {
+    name: string;
+    summary: string;
+    args: z.ZodObject<z.ZodRawShape>;
+    destructive?: boolean;
+    cliOnly?: boolean;
+    tui?: 'palette' | {
+        view: string;
+    };
+    run(args: Record<string, unknown>, ctx: CommandContext): Promise<CommandResult<D>>;
+}

package/dist/registry/types.js

@@ -0,0 +1 @@
+export {};

package/dist/templates/agent-unit.d.ts

@@ -0,0 +1,5 @@
+/** build the templated systemd unit for fleet-secrets-agent@%i.service.
+ *  the vault path comes from the caller — production code passes whatever
+ *  FLEET_VAULT_DIR or the repo-local default resolves to, so this template
+ *  never carries an operator-specific assumption. */
+export declare function generateAgentUnit(vaultPath: string): string;

package/dist/templates/agent-unit.js

@@ -0,0 +1,40 @@
+/** build the templated systemd unit for fleet-secrets-agent@%i.service.
+ *  the vault path comes from the caller — production code passes whatever
+ *  FLEET_VAULT_DIR or the repo-local default resolves to, so this template
+ *  never carries an operator-specific assumption. */
+export function generateAgentUnit(vaultPath) {
+    return [
+        '[Unit]',
+        'Description=Fleet Secrets Agent for %i',
+        'After=network.target',
+        'PartOf=docker-%i.service',
+        '',
+        '[Service]',
+        'Type=notify',
+        'DynamicUser=yes',
+        'RuntimeDirectory=fleet-secrets',
+        'RuntimeDirectoryPreserve=yes',
+        'LoadCredentialEncrypted=age-key:/etc/fleet/credentials/%i.cred',
+        `ExecStart=/usr/local/bin/fleet-agent --app %i --vault ${vaultPath} --socket /run/fleet-secrets/%i.sock`,
+        'Restart=on-failure',
+        'RestartSec=2',
+        '',
+        '# hardening',
+        'ProtectSystem=strict',
+        'ProtectHome=read-only',
+        `ReadOnlyPaths=${vaultPath}`,
+        'PrivateTmp=yes',
+        'NoNewPrivileges=yes',
+        'ProtectKernelTunables=yes',
+        'ProtectKernelModules=yes',
+        'ProtectControlGroups=yes',
+        'RestrictAddressFamilies=AF_UNIX',
+        'RestrictNamespaces=yes',
+        'SystemCallFilter=@system-service',
+        'SystemCallFilter=~@privileged @resources @mount',
+        '',
+        '[Install]',
+        'WantedBy=multi-user.target',
+        '',
+    ].join('\n');
+}

package/dist/templates/app-unit-edit.d.ts

@@ -0,0 +1,2 @@
+export declare function addAgentDependency(content: string, app: string): string;
+export declare function removeAgentDependency(content: string, app: string): string;

package/dist/templates/app-unit-edit.js

@@ -0,0 +1,46 @@
+function findUnitSection(content) {
+    const lines = content.split('\n');
+    let start = -1;
+    let end = -1;
+    for (let i = 0; i < lines.length; i++) {
+        if (lines[i].trim() === '[Unit]') {
+            start = i;
+            continue;
+        }
+        if (start >= 0 && lines[i].startsWith('[') && lines[i].endsWith(']')) {
+            end = i;
+            break;
+        }
+    }
+    if (start < 0)
+        throw new Error('no [Unit] section found');
+    if (end < 0)
+        end = lines.length;
+    return { start, end };
+}
+export function addAgentDependency(content, app) {
+    const lines = content.split('\n');
+    const requires = `Requires=fleet-secrets-agent@${app}.service`;
+    const after = `After=fleet-secrets-agent@${app}.service`;
+    if (lines.includes(requires) && lines.includes(after))
+        return content;
+    const section = findUnitSection(content);
+    let insertAt = section.end;
+    while (insertAt > section.start + 1 && lines[insertAt - 1].trim() === '')
+        insertAt--;
+    const toInsert = [];
+    if (!lines.includes(requires))
+        toInsert.push(requires);
+    if (!lines.includes(after))
+        toInsert.push(after);
+    lines.splice(insertAt, 0, ...toInsert);
+    return lines.join('\n');
+}
+export function removeAgentDependency(content, app) {
+    const requires = `Requires=fleet-secrets-agent@${app}.service`;
+    const after = `After=fleet-secrets-agent@${app}.service`;
+    return content
+        .split('\n')
+        .filter(l => l !== requires && l !== after)
+        .join('\n');
+}

package/dist/templates/compose-edit.d.ts

@@ -0,0 +1,2 @@
+export declare function migrateComposeToV2(yamlContent: string, app: string, service: string): string;
+export declare function revertComposeFromV2(yamlContent: string, app: string, service: string): string;

package/dist/templates/compose-edit.js

@@ -0,0 +1,156 @@
+import { parseDocument, Scalar, isMap, isSeq, isScalar } from 'yaml';
+const FLEET_ENV_KEY = 'FLEET_SECRETS_SOCKET';
+const FLEET_ENV_VAL = '/run/fleet.sock';
+function v1EnvFile(app) {
+    return `/run/fleet-secrets/${app}/.env`;
+}
+function v2SocketMount(app) {
+    return `/run/fleet-secrets/${app}.sock:/run/fleet.sock:ro`;
+}
+function getService(doc, service) {
+    const svc = doc.getIn(['services', service], true);
+    if (!svc || !isMap(svc)) {
+        throw new Error(`service '${service}' not found in compose file`);
+    }
+    return svc;
+}
+function removeEnvFileEntry(svc, app) {
+    const v1Path = v1EnvFile(app);
+    const raw = svc.get('env_file', true);
+    if (raw === undefined || raw === null)
+        return;
+    if (isScalar(raw)) {
+        if (raw.value === v1Path) {
+            svc.delete('env_file');
+        }
+        return;
+    }
+    if (isSeq(raw)) {
+        const seq = raw;
+        const idx = seq.items.findIndex(item => isScalar(item) && item.value === v1Path);
+        if (idx !== -1) {
+            seq.items.splice(idx, 1);
+        }
+        if (seq.items.length === 0) {
+            svc.delete('env_file');
+        }
+        return;
+    }
+    if (typeof raw === 'string' && raw === v1Path) {
+        svc.delete('env_file');
+    }
+}
+function ensureEnvVar(svc) {
+    const envRaw = svc.get('environment', true);
+    if (!envRaw) {
+        svc.set('environment', { [FLEET_ENV_KEY]: FLEET_ENV_VAL });
+        return;
+    }
+    if (isMap(envRaw)) {
+        const env = envRaw;
+        if (!env.has(FLEET_ENV_KEY)) {
+            env.set(FLEET_ENV_KEY, FLEET_ENV_VAL);
+        }
+        return;
+    }
+    if (isSeq(envRaw)) {
+        const seq = envRaw;
+        const kvPrefix = `${FLEET_ENV_KEY}=`;
+        const already = seq.items.some(item => isScalar(item) && typeof item.value === 'string' && item.value.startsWith(kvPrefix));
+        if (!already) {
+            seq.add(`${FLEET_ENV_KEY}=${FLEET_ENV_VAL}`);
+        }
+        return;
+    }
+}
+function removeEnvVar(svc) {
+    const envRaw = svc.get('environment', true);
+    if (!envRaw)
+        return;
+    if (isMap(envRaw)) {
+        const env = envRaw;
+        env.delete(FLEET_ENV_KEY);
+        if (env.items.length === 0) {
+            svc.delete('environment');
+        }
+        return;
+    }
+    if (isSeq(envRaw)) {
+        const seq = envRaw;
+        const kvPrefix = `${FLEET_ENV_KEY}=`;
+        const idx = seq.items.findIndex(item => isScalar(item) && typeof item.value === 'string' && item.value.startsWith(kvPrefix));
+        if (idx !== -1) {
+            seq.items.splice(idx, 1);
+        }
+        if (seq.items.length === 0) {
+            svc.delete('environment');
+        }
+    }
+}
+function ensureSocketMount(svc, app) {
+    const mount = v2SocketMount(app);
+    const volRaw = svc.get('volumes', true);
+    if (!volRaw) {
+        svc.set('volumes', [mount]);
+        return;
+    }
+    if (isSeq(volRaw)) {
+        const seq = volRaw;
+        const already = seq.items.some(item => isScalar(item) && item.value === mount);
+        if (!already) {
+            seq.add(mount);
+        }
+        return;
+    }
+}
+function removeSocketMount(svc, app) {
+    const mount = v2SocketMount(app);
+    const volRaw = svc.get('volumes', true);
+    if (!volRaw || !isSeq(volRaw))
+        return;
+    const seq = volRaw;
+    const idx = seq.items.findIndex(item => isScalar(item) && item.value === mount);
+    if (idx !== -1) {
+        seq.items.splice(idx, 1);
+    }
+    if (seq.items.length === 0) {
+        svc.delete('volumes');
+    }
+}
+function restoreEnvFile(svc, app) {
+    const v1Path = v1EnvFile(app);
+    const raw = svc.get('env_file', true);
+    if (!raw) {
+        svc.set('env_file', v1Path);
+        return;
+    }
+    if (isScalar(raw)) {
+        if (raw.value !== v1Path) {
+            svc.set('env_file', v1Path);
+        }
+        return;
+    }
+    if (isSeq(raw)) {
+        const seq = raw;
+        const already = seq.items.some(item => isScalar(item) && item.value === v1Path);
+        if (!already) {
+            seq.items.unshift(new Scalar(v1Path));
+        }
+    }
+}
+export function migrateComposeToV2(yamlContent, app, service) {
+    const doc = parseDocument(yamlContent);
+    const svc = getService(doc, service);
+    removeEnvFileEntry(svc, app);
+    ensureEnvVar(svc);
+    ensureSocketMount(svc, app);
+    return doc.toString();
+}
+export function revertComposeFromV2(yamlContent, app, service) {
+    const doc = parseDocument(yamlContent);
+    const svc = getService(doc, service);
+    removeSocketMount(svc, app);
+    removeEnvVar(svc);
+    restoreEnvFile(svc, app);
+    return doc.toString();
+}

package/dist/templates/nginx.js

@@ -1,4 +1,15 @@
+import { assertDomain, assertHealthPath } from '../core/validate.js';
 export function generateNginxConfig(opts) {
+    // defence-in-depth: callers are expected to validate already, but a
+    // missed call must not produce a config that injects directives via
+    // ${domain} (server_name interpolation) or ${port} (proxy_pass).
+    // mirrors the assertComposeFile pattern in src/templates/systemd.ts.
+    assertDomain(opts.domain);
+    if (!Number.isInteger(opts.port) || opts.port < 1 || opts.port > 65535) {
+        throw new Error(`invalid port: ${opts.port}`);
+    }
+    if (opts.apiPrefix !== undefined)
+        assertHealthPath(opts.apiPrefix);
     const { domain, port, type } = opts;
     const apiPrefix = opts.apiPrefix ?? '/api';
     const securityHeaders = `    add_header X-Content-Type-Options "nosniff" always;

package/dist/templates/systemd.js

@@ -1,4 +1,10 @@
+import { assertComposeFile } from '../core/validate.js';
 export function generateServiceFile(opts) {
+    // Defence-in-depth: even if a caller skipped upstream validation, refuse to
+    // emit a unit file with a composeFile value that could break out of the
+    // quoted -f argument and inject extra docker-compose flags or shell.
+    if (opts.composeFile)
+        assertComposeFile(opts.composeFile);
     const fileFlag = opts.composeFile ? ` -f "${opts.composeFile}"` : '';
     const dbDep = opts.dependsOnDatabases ? ' docker-databases.service' : '';
     return `[Unit]

package/dist/tui/components/ArgForm.d.ts

@@ -0,0 +1,7 @@
+import React from 'react';
+import { z } from 'zod';
+export declare function ArgForm(props: {
+    schema: z.ZodObject<z.ZodRawShape>;
+    onSubmit: (values: Record<string, unknown>) => void;
+    onCancel: () => void;
+}): React.JSX.Element;

package/dist/tui/components/ArgForm.js

@@ -0,0 +1,64 @@
+import { jsxs as _jsxs, jsx as _jsx } from "react/jsx-runtime";
+import { useState } from 'react';
+import { Box, Text } from 'ink';
+import { z } from 'zod';
+import { useRegisterHandler } from '@matthesketh/ink-input-dispatcher';
+import { colors } from '../theme.js';
+function describeField(name, schema) {
+    let s = schema;
+    while (s instanceof z.ZodOptional || s instanceof z.ZodDefault) {
+        s = s._def.innerType;
+    }
+    if (s instanceof z.ZodBoolean)
+        return { name, kind: 'boolean' };
+    if (s instanceof z.ZodNumber)
+        return { name, kind: 'number' };
+    if (s instanceof z.ZodEnum)
+        return { name, kind: 'enum', options: s._def.values };
+    return { name, kind: 'string' };
+}
+export function ArgForm(props) {
+    const fields = Object.entries(props.schema.shape).map(([n, s]) => describeField(n, s));
+    const [cursor, setCursor] = useState(0);
+    const [values, setValues] = useState(() => Object.fromEntries(fields.map(f => [f.name, f.kind === 'boolean' ? false : ''])));
+    const handler = (input, key) => {
+        if (key.escape) {
+            props.onCancel();
+            return true;
+        }
+        if (key.return) {
+            props.onSubmit(values);
+            return true;
+        }
+        if (key.downArrow) {
+            setCursor(c => Math.min(c + 1, fields.length - 1));
+            return true;
+        }
+        if (key.upArrow) {
+            setCursor(c => Math.max(c - 1, 0));
+            return true;
+        }
+        const field = fields[cursor];
+        if (!field)
+            return false;
+        if (field.kind === 'boolean') {
+            if (input === ' ') {
+                setValues(v => ({ ...v, [field.name]: !v[field.name] }));
+                return true;
+            }
+        }
+        else if (key.backspace || key.delete) {
+            setValues(v => ({ ...v, [field.name]: String(v[field.name] ?? '').slice(0, -1) }));
+            return true;
+        }
+        else if (input && !key.ctrl && !key.meta) {
+            setValues(v => ({ ...v, [field.name]: String(v[field.name] ?? '') + input }));
+            return true;
+        }
+        return false;
+    };
+    useRegisterHandler(handler);
+    return (_jsxs(Box, { flexDirection: "column", children: [fields.map((f, i) => (_jsxs(Box, { children: [_jsxs(Text, { color: i === cursor ? colors.primary : colors.muted, children: [i === cursor ? '> ' : '  ', f.name, ":", ' '] }), _jsx(Text, { children: f.kind === 'boolean'
+                            ? (values[f.name] ? '[x]' : '[ ]')
+                            : String(values[f.name] ?? '') })] }, f.name))), _jsx(Box, { marginTop: 1, children: _jsx(Text, { color: colors.muted, children: "\u2191\u2193 field \u00B7 space toggle \u00B7 enter run \u00B7 esc cancel" }) })] }));
+}

package/dist/tui/components/ArgForm.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/tui/components/ArgForm.test.js

@@ -0,0 +1,19 @@
+import { jsx as _jsx } from "react/jsx-runtime";
+import { render } from 'ink-testing-library';
+import { describe, it, expect } from 'vitest';
+import { z } from 'zod';
+import { ArgForm } from './ArgForm.js';
+describe('ArgForm', () => {
+    it('renders one labelled field per schema property', () => {
+        const schema = z.object({ app: z.string(), force: z.boolean().default(false) });
+        const { lastFrame } = render(_jsx(ArgForm, { schema: schema, onSubmit: () => { }, onCancel: () => { } }));
+        const frame = lastFrame() ?? '';
+        expect(frame).toContain('app');
+        expect(frame).toContain('force');
+    });
+    it('shows a toggle hint for boolean fields', () => {
+        const schema = z.object({ force: z.boolean().default(false) });
+        const { lastFrame } = render(_jsx(ArgForm, { schema: schema, onSubmit: () => { }, onCancel: () => { } }));
+        expect(lastFrame() ?? '').toMatch(/false|off|\[ \]/i);
+    });
+});

package/dist/tui/components/KeyHint.js

@@ -54,6 +54,11 @@ const viewHints = {
         { key: 'L', label: 'level' },
         { key: 'q', label: 'quit' },
     ],
+    'command-palette': [
+        { key: '↑/↓', label: 'navigate' },
+        { key: 'Enter', label: 'run' },
+        { key: 'Esc', label: 'close' },
+    ],
 };
 export function KeyHint() {
     const { currentView, confirmAction } = useAppState();

package/dist/tui/hooks/use-secrets.d.ts

@@ -20,28 +20,28 @@ interface SecretsState {
 interface SecretsActions {
     refresh: () => void;
     loadAppSecrets: (app: string) => void;
-    saveSecret: (app: string, key: string, value: string) => {
+    saveSecret: (app: string, key: string, value: string) => Promise<{
         ok: boolean;
         error?: string;
-    };
-    deleteSecret: (app: string, key: string) => {
+    }>;
+    deleteSecret: (app: string, key: string) => Promise<{
         ok: boolean;
         error?: string;
-    };
+    }>;
     revealSecret: (app: string, key: string) => void;
     hideSecret: (key: string) => void;
     unseal: () => {
         ok: boolean;
         error?: string;
     };
-    seal: () => {
+    seal: () => Promise<{
         ok: boolean;
         error?: string;
-    };
-    importEnv: (app: string, path: string) => {
+    }>;
+    importEnv: (app: string, path: string) => Promise<{
         ok: boolean;
         error?: string;
-    };
+    }>;
 }
 export declare function useSecrets(): SecretsState & SecretsActions;
 export {};