@matthesketh/fleet 1.8.1 → 1.11.1

package/dist/core/secrets-rotation.js

@@ -4,7 +4,7 @@
  * gate, and rolls back on failure. Pure functions where possible — I/O isolated
  * to thin wrappers so tests can run without a real vault.
  */
-import { decryptApp, sealApp, loadManifest } from './secrets.js';
+import { decryptApp, sealApp, loadManifest, lockManifest } from './secrets.js';
 import { snapshotApp, restoreSnapshot } from './secrets-snapshots.js';
 import { auditLog } from './secrets-audit.js';
 import { markRotated } from './secrets-metadata.js';
@@ -108,58 +108,64 @@ export function applyRotation(plaintext, key, newValue, strategy) {
  * snapshot → seal → audit. Restart + health-gate are caller's responsibility
  * (we want the engine pure-ish so it's easy to test).
  */
-export function performRotation(app, key, newValue, opts = {}) {
-    const manifest = loadManifest();
-    const entry = manifest.apps[app];
-    if (!entry)
-        throw new SecretsError(`No app in manifest: ${app}`);
-    if (entry.type !== 'env') {
-        throw new SecretsError(`Rotation only supports env-type apps, got ${entry.type}`);
-    }
-    const provider = classifySecret(key);
-    const strategy = provider?.strategy ?? 'immediate';
-    if (strategy === 'user-issued') {
-        throw new SecretsError(`${key} is a user-issued token. Rotating yours doesn't help — invalidate per-user instead.`);
-    }
-    // Strict typed opt — was previously a substring match on opts.notes which
-    // could be bypassed by any caller embedding the flag in free-text notes.
-    if (strategy === 'at-rest-key' && !opts.dataMigrated) {
-        throw new SecretsError(`${key} encrypts data at rest. Re-encrypt your data first, then pass --data-migrated.`);
-    }
-    if (opts.dryRun) {
-        auditLog({ op: 'rotate-attempted', app, secret: key, ok: true, details: 'dry-run' });
-        return { app, key, strategy, snapshot: '(dry-run)', rolledBack: false };
-    }
-    // 1. Snapshot before any change.
-    const snapshot = snapshotApp(app);
-    auditLog({ op: 'snapshot', app, secret: key, ok: true, details: snapshot });
-    try {
-        // 2. Decrypt, apply rotation, re-encrypt.
-        const plaintext = decryptApp(app);
-        const updated = applyRotation(plaintext, key, newValue, strategy);
-        sealApp(app, updated, entry.sourceFile);
-        // 3. Stamp metadata.
-        markRotated(app, key, { strategy, notes: opts.notes });
-        auditLog({ op: 'rotate', app, secret: key, ok: true, details: `strategy=${strategy}` });
-        return { app, key, strategy, snapshot, rolledBack: false };
-    }
-    catch (err) {
-        const reason = err instanceof Error ? err.message : String(err);
-        // Restore from snapshot on any failure.
+export async function performRotation(app, key, newValue, opts = {}) {
+    // Hold the manifest lock for the whole snapshot → seal → markRotated cycle
+    // so a concurrent CLI/cron writer can't slip a stale write between our
+    // seal and our metadata stamp. markRotated calls saveManifest internally;
+    // that write happens under our lock.
+    return await lockManifest(() => {
+        const manifest = loadManifest();
+        const entry = manifest.apps[app];
+        if (!entry)
+            throw new SecretsError(`No app in manifest: ${app}`);
+        if (entry.type !== 'env') {
+            throw new SecretsError(`Rotation only supports env-type apps, got ${entry.type}`);
+        }
+        const provider = classifySecret(key);
+        const strategy = provider?.strategy ?? 'immediate';
+        if (strategy === 'user-issued') {
+            throw new SecretsError(`${key} is a user-issued token. Rotating yours doesn't help — invalidate per-user instead.`);
+        }
+        // Strict typed opt — was previously a substring match on opts.notes which
+        // could be bypassed by any caller embedding the flag in free-text notes.
+        if (strategy === 'at-rest-key' && !opts.dataMigrated) {
+            throw new SecretsError(`${key} encrypts data at rest. Re-encrypt your data first, then pass --data-migrated.`);
+        }
+        if (opts.dryRun) {
+            auditLog({ op: 'rotate-attempted', app, secret: key, ok: true, details: 'dry-run' });
+            return { app, key, strategy, snapshot: '(dry-run)', rolledBack: false };
+        }
+        // 1. Snapshot before any change.
+        const snapshot = snapshotApp(app);
+        auditLog({ op: 'snapshot', app, secret: key, ok: true, details: snapshot });
         try {
-            restoreSnapshot(app);
-            auditLog({ op: 'rollback', app, secret: key, ok: true, details: `auto: ${reason}` });
+            // 2. Decrypt, apply rotation, re-encrypt.
+            const plaintext = decryptApp(app);
+            const updated = applyRotation(plaintext, key, newValue, strategy);
+            sealApp(app, updated, entry.sourceFile);
+            // 3. Stamp metadata.
+            markRotated(app, key, { strategy, notes: opts.notes });
+            auditLog({ op: 'rotate', app, secret: key, ok: true, details: `strategy=${strategy}` });
+            return { app, key, strategy, snapshot, rolledBack: false };
         }
-        catch (rollbackErr) {
-            auditLog({
-                op: 'rollback',
-                app,
-                secret: key,
-                ok: false,
-                details: `auto rollback also failed: ${rollbackErr}`,
-            });
+        catch (err) {
+            const reason = err instanceof Error ? err.message : String(err);
+            // Restore from snapshot on any failure.
+            try {
+                restoreSnapshot(app);
+                auditLog({ op: 'rollback', app, secret: key, ok: true, details: `auto: ${reason}` });
+            }
+            catch (rollbackErr) {
+                auditLog({
+                    op: 'rollback',
+                    app,
+                    secret: key,
+                    ok: false,
+                    details: `auto rollback also failed: ${rollbackErr}`,
+                });
+            }
+            auditLog({ op: 'rotate-failed', app, secret: key, ok: false, details: reason });
+            return { app, key, strategy, snapshot, rolledBack: true, reason };
         }
-        auditLog({ op: 'rotate-failed', app, secret: key, ok: false, details: reason });
-        return { app, key, strategy, snapshot, rolledBack: true, reason };
-    }
+    });
 }

package/dist/core/secrets-v2-cleanup.d.ts

@@ -0,0 +1,19 @@
+export interface CleanupOpts {
+    app: string;
+    retentionDays?: number;
+    dryRun?: boolean;
+}
+export interface CleanupResult {
+    app: string;
+    removedBak: boolean;
+    removedSnapshots: string[];
+    keptSnapshots: string[];
+    dryRun: boolean;
+}
+/**
+ * parse a filesystem-safe snapshot timestamp back to a Date.
+ * input: '2026-05-06T12-00-00-000Z' (colons and dots replaced with dashes)
+ * output: Date('2026-05-06T12:00:00.000Z'), or null if unparseable
+ */
+export declare function parseSnapshotTimestamp(ts: string): Date | null;
+export declare function cleanupV2Backups(opts: CleanupOpts): Promise<CleanupResult>;

package/dist/core/secrets-v2-cleanup.js

@@ -0,0 +1,94 @@
+import { dirname, join } from 'node:path';
+import { existsSync, readdirSync, rmSync, unlinkSync } from 'node:fs';
+import { readFileSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import { findApp, load } from './registry.js';
+import { listSnapshots } from './secrets-v2-snapshot.js';
+import { SecretsError } from './errors.js';
+const __dirname = dirname(fileURLToPath(import.meta.url));
+/** resolve vault dir: env override (used in tests) or the default computed path */
+function resolveVaultDir() {
+    return process.env.FLEET_VAULT_DIR ?? join(__dirname, '..', '..', 'vault');
+}
+/** read manifest directly without calling requireInit() */
+function readManifest(vaultDir) {
+    const p = join(vaultDir, 'manifest.json');
+    if (!existsSync(p))
+        return { version: 1, apps: {} };
+    try {
+        return JSON.parse(readFileSync(p, 'utf-8'));
+    }
+    catch {
+        return { version: 1, apps: {} };
+    }
+}
+/**
+ * parse a filesystem-safe snapshot timestamp back to a Date.
+ * input: '2026-05-06T12-00-00-000Z' (colons and dots replaced with dashes)
+ * output: Date('2026-05-06T12:00:00.000Z'), or null if unparseable
+ */
+export function parseSnapshotTimestamp(ts) {
+    const m = ts.match(/^(\d{4}-\d{2}-\d{2}T)(\d{2})-(\d{2})-(\d{2})-(\d{3})Z$/);
+    if (!m)
+        return null;
+    return new Date(`${m[1]}${m[2]}:${m[3]}:${m[4]}.${m[5]}Z`);
+}
+export async function cleanupV2Backups(opts) {
+    const { app, retentionDays = 30, dryRun = false } = opts;
+    const registry = load();
+    const appEntry = findApp(registry, app);
+    if (!appEntry) {
+        throw new SecretsError(`app '${app}' not found in fleet registry`);
+    }
+    const vaultDir = resolveVaultDir();
+    const manifest = readManifest(vaultDir);
+    const entry = manifest.apps[app];
+    if (!entry || entry.mode !== 'socket') {
+        throw new SecretsError(`app '${app}' is not in v2 mode; cleanup is for post-v2-migration apps only`);
+    }
+    const cutoff = Date.now() - retentionDays * 86_400_000;
+    const backupRoot = join(vaultDir, 'backups');
+    const snapshots = listSnapshots(backupRoot, app);
+    const removedSnapshots = [];
+    const keptSnapshots = [];
+    for (const snap of snapshots) {
+        const ts = parseSnapshotTimestamp(snap.timestamp);
+        if (!ts) {
+            // unparseable timestamp — keep rather than risk destroying unknown content
+            keptSnapshots.push(snap.timestamp);
+            continue;
+        }
+        if (ts.getTime() < cutoff) {
+            removedSnapshots.push(snap.timestamp);
+            if (!dryRun) {
+                rmSync(snap.dir, { recursive: true, force: true });
+                // best-effort: remove the parent timestamp dir if it's now empty
+                const parentDir = dirname(snap.dir);
+                try {
+                    const remaining = readdirSync(parentDir);
+                    if (remaining.length === 0)
+                        rmSync(parentDir, { recursive: true, force: true });
+                }
+                catch { /* ignore */ }
+            }
+        }
+        else {
+            keptSnapshots.push(snap.timestamp);
+        }
+    }
+    let removedBak = false;
+    const bakPath = join(vaultDir, `${app}.env.age.v1.bak`);
+    if (existsSync(bakPath)) {
+        if (!dryRun) {
+            try {
+                unlinkSync(bakPath);
+                removedBak = true;
+            }
+            catch { /* best-effort */ }
+        }
+        else {
+            removedBak = true;
+        }
+    }
+    return { app, removedBak, removedSnapshots, keptSnapshots, dryRun };
+}

package/dist/core/secrets-v2-creds.d.ts

@@ -0,0 +1,9 @@
+export declare const CRED_DIR = "/etc/fleet/credentials";
+export declare function credentialPathFor(app: string): string;
+export declare function encryptCredential(args: {
+    name: string;
+    plaintext: string;
+    outputPath: string;
+}): void;
+export declare function credentialExists(app: string): boolean;
+export declare function removeCredential(app: string): void;

package/dist/core/secrets-v2-creds.js

@@ -0,0 +1,44 @@
+import { existsSync, mkdirSync, chmodSync, unlinkSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { execSafe } from './exec.js';
+import { SecretsError } from './errors.js';
+export const CRED_DIR = '/etc/fleet/credentials';
+export function credentialPathFor(app) {
+    const p = join(CRED_DIR, `${app}.cred`);
+    if (!p.startsWith(CRED_DIR + '/')) {
+        throw new SecretsError(`invalid app name: ${app}`);
+    }
+    return p;
+}
+export function encryptCredential(args) {
+    const dir = dirname(args.outputPath);
+    if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true, mode: 0o700 });
+    }
+    const r = execSafe('systemd-creds', ['encrypt', '--name', args.name, '-', args.outputPath], { input: args.plaintext });
+    if (!r.ok) {
+        const safeStderr = args.plaintext.length > 0
+            ? r.stderr.split(args.plaintext).join('[redacted]')
+            : r.stderr;
+        throw new SecretsError(`systemd-creds encrypt failed: ${safeStderr}`);
+    }
+    try {
+        chmodSync(args.outputPath, 0o600);
+    }
+    catch (chmodErr) {
+        try {
+            unlinkSync(args.outputPath);
+        }
+        catch { /* ignore */ }
+        throw new SecretsError(`chmod failed for ${args.outputPath}: ${chmodErr.message}`);
+    }
+}
+export function credentialExists(app) {
+    return existsSync(credentialPathFor(app));
+}
+export function removeCredential(app) {
+    const p = credentialPathFor(app);
+    if (existsSync(p)) {
+        unlinkSync(p);
+    }
+}

package/dist/core/secrets-v2-install.d.ts

@@ -0,0 +1,13 @@
+export interface InstallResult {
+    agentBinaryInstalled: boolean;
+    unitFileInstalled: boolean;
+    daemonReloaded: boolean;
+    templateParseable: boolean;
+}
+export declare function installV2(opts?: {
+    dryRun?: boolean;
+    agentSourcePath?: string;
+    destBinaryPath?: string;
+    unitFilePath?: string;
+    vaultPath?: string;
+}): Promise<InstallResult>;

package/dist/core/secrets-v2-install.js

@@ -0,0 +1,76 @@
+import { existsSync, readFileSync, writeFileSync, copyFileSync, chmodSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { execSafe } from './exec.js';
+import { SecretsError } from './errors.js';
+import { generateAgentUnit } from '../templates/agent-unit.js';
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const DEFAULT_AGENT_SOURCE = join(__dirname, '..', 'bin', 'fleet-agent.js');
+const DEFAULT_BINARY_DEST = '/usr/local/bin/fleet-agent';
+const DEFAULT_UNIT_PATH = '/etc/systemd/system/fleet-secrets-agent@.service';
+/** vault dir resolution. mirrors secrets-v2-cleanup.ts — env override
+ *  takes precedence so tests and bespoke deploys both work without
+ *  hardcoding an operator-specific path into the systemd unit. */
+function resolveVaultDir() {
+    return process.env.FLEET_VAULT_DIR ?? join(__dirname, '..', '..', 'vault');
+}
+export async function installV2(opts = {}) {
+    const sourcePath = opts.agentSourcePath ?? DEFAULT_AGENT_SOURCE;
+    const destPath = opts.destBinaryPath ?? DEFAULT_BINARY_DEST;
+    const unitPath = opts.unitFilePath ?? DEFAULT_UNIT_PATH;
+    const vaultPath = opts.vaultPath ?? resolveVaultDir();
+    const dryRun = opts.dryRun ?? false;
+    if (!existsSync(sourcePath)) {
+        throw new SecretsError(`agent binary source not found at ${sourcePath} — run 'npm run build' first`);
+    }
+    const sourceContent = readFileSync(sourcePath);
+    const result = {
+        agentBinaryInstalled: false,
+        unitFileInstalled: false,
+        daemonReloaded: false,
+        templateParseable: false,
+    };
+    // install binary if changed (byte-equal comparison)
+    let needBinaryWrite = !existsSync(destPath);
+    if (!needBinaryWrite) {
+        const existingContent = readFileSync(destPath);
+        needBinaryWrite = !existingContent.equals(sourceContent);
+    }
+    if (needBinaryWrite) {
+        if (!dryRun) {
+            copyFileSync(sourcePath, destPath);
+            chmodSync(destPath, 0o755);
+        }
+        result.agentBinaryInstalled = true;
+    }
+    // install unit file if changed (text-equal comparison)
+    const unitContent = generateAgentUnit(vaultPath);
+    let needUnitWrite = !existsSync(unitPath);
+    if (!needUnitWrite) {
+        const existing = readFileSync(unitPath, 'utf-8');
+        needUnitWrite = existing !== unitContent;
+    }
+    if (needUnitWrite) {
+        if (!dryRun) {
+            writeFileSync(unitPath, unitContent);
+            chmodSync(unitPath, 0o644);
+        }
+        result.unitFileInstalled = true;
+    }
+    // daemon-reload only if we wrote something
+    if ((result.agentBinaryInstalled || result.unitFileInstalled) && !dryRun) {
+        const r = execSafe('systemctl', ['daemon-reload']);
+        if (!r.ok)
+            throw new SecretsError(`systemctl daemon-reload failed: ${r.stderr}`);
+        result.daemonReloaded = true;
+    }
+    // verify template is parseable (soft check — not thrown on failure)
+    if (!dryRun) {
+        const r = execSafe('systemctl', ['cat', 'fleet-secrets-agent@verify.service']);
+        result.templateParseable = r.ok;
+    }
+    else {
+        result.templateParseable = true;
+    }
+    return result;
+}

package/dist/core/secrets-v2-keypair.d.ts

@@ -0,0 +1,10 @@
+export interface Keypair {
+    publicKey: string;
+    privateKey: string;
+}
+export declare function reencryptForRecipient(args: {
+    ciphertext: string;
+    oldKeyPath: string;
+    newRecipient: string;
+}): string;
+export declare function generateKeypair(): Keypair;

package/dist/core/secrets-v2-keypair.js

@@ -0,0 +1,31 @@
+import { execSafe } from './exec.js';
+import { SecretsError } from './errors.js';
+export function reencryptForRecipient(args) {
+    const dec = execSafe('age', ['-d', '-i', args.oldKeyPath], { input: args.ciphertext });
+    if (!dec.ok) {
+        throw new SecretsError(`decrypt failed: ${dec.stderr}`);
+    }
+    const plaintext = dec.stdout;
+    const enc = execSafe('age', ['-r', args.newRecipient, '--armor'], { input: plaintext });
+    if (!enc.ok) {
+        throw new SecretsError(`encrypt failed: ${enc.stderr}`);
+    }
+    return enc.stdout;
+}
+export function generateKeypair() {
+    const r = execSafe('age-keygen', []);
+    if (!r.ok)
+        throw new SecretsError(`age-keygen failed: ${r.stderr}`);
+    const lines = r.stdout.split('\n');
+    const pub = lines.find(l => l.startsWith('# public key: '))?.slice('# public key: '.length).trim();
+    const priv = lines.find(l => l.startsWith('AGE-SECRET-KEY-'))?.trim();
+    if (!pub || !priv) {
+        const safeOut = r.stdout
+            .split('\n')
+            .filter(l => !l.includes('AGE-SECRET-KEY-'))
+            .join('\n')
+            .slice(0, 200);
+        throw new SecretsError(`could not parse age-keygen output: ${safeOut}`);
+    }
+    return { publicKey: pub, privateKey: priv };
+}

package/dist/core/secrets-v2-migrate.d.ts

@@ -0,0 +1,29 @@
+export interface MigrateOpts {
+    app: string;
+    noRestartApp?: boolean;
+    dryRun?: boolean;
+}
+export interface MigrateStep {
+    step: number;
+    name: string;
+    ok: boolean;
+    detail?: string;
+}
+export interface MigrateResult {
+    app: string;
+    snapshotDir: string | null;
+    steps: MigrateStep[];
+    rolledBack: boolean;
+}
+export declare function migrateAppToV2(opts: MigrateOpts): Promise<MigrateResult>;
+export interface RevertOpts {
+    app: string;
+    snapshotTimestamp?: string;
+}
+export interface RevertResult {
+    app: string;
+    snapshotUsed: string;
+    steps: MigrateStep[];
+    ok: boolean;
+}
+export declare function revertAppFromV2(opts: RevertOpts): Promise<RevertResult>;