@matthesketh/fleet 1.8.1 → 1.11.1

package/dist/core/self-update.d.ts

@@ -2,24 +2,45 @@
  * Self-update check and apply for fleet itself.
  *
  * fleet is installed via `npm link`-style symlink from /usr/local/bin/fleet to
- * /home/matt/fleet/dist/index.js. Updates are produced by:
- *   1. git pull --ff-only origin develop  in /home/matt/fleet
- *   2. npm run build  (rewrites dist/)
+ * the repo's dist/index.js. Updates are produced by:
+ *   1. git fetch origin <channel>  (channel = main by default, develop on opt-in)
+ *   2. git pull --ff-only origin <channel>  in the fleet checkout
+ *   3. npm run build  (rewrites dist/)
+ *
+ * Channel selection:
+ *   - default: 'stable' → tracks origin/main (tagged releases only).
+ *   - FLEET_UPDATE_CHANNEL=prerelease → tracks origin/develop (work in flight).
+ *   - FLEET_UPDATE_BRANCH=<name> → arbitrary branch (escape hatch for forks).
+ *
+ * The check intentionally compares against the configured remote branch, not
+ * the local HEAD's tracking branch — so even if the local checkout is on
+ * `develop` the operator can opt back to the stable channel without first
+ * switching branches.
  *
  * checkForUpdate() does a non-blocking `git fetch` + compares HEAD with the
  * remote. applyUpdate() runs the pull + build. Both are pure shell wrappers
  * around execSafe — easy to mock in tests, easy to reason about under sudo.
  */
+export type UpdateChannel = 'stable' | 'prerelease';
+/** resolve the remote branch to track based on env vars. */
+export declare function resolveChannel(): {
+    channel: UpdateChannel;
+    branch: string;
+};
 export interface UpdateInfo {
-    /** True if `git rev-parse @{u}` shows commits ahead of HEAD. */
+    /** true if `git rev-parse @{u}` shows commits ahead of HEAD. */
     available: boolean;
-    /** Number of commits HEAD is behind origin. 0 if up-to-date. */
+    /** number of commits HEAD is behind the configured remote branch. */
     behind: number;
-    /** Short subject of the latest remote commit (or empty string on failure). */
+    /** short subject of the latest remote commit (or empty string on failure). */
     latestSubject: string;
-    /** Branch name in the local repo. */
+    /** local branch in the working tree. */
     branch: string;
-    /** Why the check failed, if it did. */
+    /** remote branch being tracked for updates (e.g. 'main' or 'develop'). */
+    remoteBranch: string;
+    /** stable = main (tagged releases), prerelease = develop (work in flight). */
+    channel: UpdateChannel;
+    /** why the check failed, if it did. */
     error?: string;
 }
 export interface UpdateResult {
@@ -34,8 +55,8 @@ export interface UpdateResult {
  */
 export declare function checkForUpdate(): Promise<UpdateInfo>;
 /**
- * Apply: git pull --ff-only + npm run build. Refuses to run if the working
- * tree is dirty (would clobber uncommitted changes). Returns aggregate output
- * for the toast / TUI to surface.
+ * Apply: git pull --ff-only origin <channel-branch> + npm run build. Refuses
+ * to run if the working tree is dirty (would clobber uncommitted changes).
+ * Returns aggregate output for the toast / TUI to surface.
  */
 export declare function applyUpdate(): Promise<UpdateResult>;

package/dist/core/self-update.js

@@ -2,9 +2,20 @@
  * Self-update check and apply for fleet itself.
  *
  * fleet is installed via `npm link`-style symlink from /usr/local/bin/fleet to
- * /home/matt/fleet/dist/index.js. Updates are produced by:
- *   1. git pull --ff-only origin develop  in /home/matt/fleet
- *   2. npm run build  (rewrites dist/)
+ * the repo's dist/index.js. Updates are produced by:
+ *   1. git fetch origin <channel>  (channel = main by default, develop on opt-in)
+ *   2. git pull --ff-only origin <channel>  in the fleet checkout
+ *   3. npm run build  (rewrites dist/)
+ *
+ * Channel selection:
+ *   - default: 'stable' → tracks origin/main (tagged releases only).
+ *   - FLEET_UPDATE_CHANNEL=prerelease → tracks origin/develop (work in flight).
+ *   - FLEET_UPDATE_BRANCH=<name> → arbitrary branch (escape hatch for forks).
+ *
+ * The check intentionally compares against the configured remote branch, not
+ * the local HEAD's tracking branch — so even if the local checkout is on
+ * `develop` the operator can opt back to the stable channel without first
+ * switching branches.
  *
  * checkForUpdate() does a non-blocking `git fetch` + compares HEAD with the
  * remote. applyUpdate() runs the pull + build. Both are pure shell wrappers
@@ -16,39 +27,66 @@ import { execSafe } from './exec.js';
 const __dirname = dirname(fileURLToPath(import.meta.url));
 // dist/core/self-update.js → repo root is two ../
 const FLEET_REPO = process.env.FLEET_REPO_PATH ?? `${__dirname}/../..`;
+/** resolve the remote branch to track based on env vars. */
+export function resolveChannel() {
+    // explicit branch override wins — for forks or custom workflows.
+    const explicit = process.env.FLEET_UPDATE_BRANCH;
+    if (explicit) {
+        const channel = explicit === 'develop' ? 'prerelease' : 'stable';
+        return { channel, branch: explicit };
+    }
+    if (process.env.FLEET_UPDATE_CHANNEL === 'prerelease') {
+        return { channel: 'prerelease', branch: 'develop' };
+    }
+    return { channel: 'stable', branch: 'main' };
+}
 /**
  * Non-blocking check. Does a `git fetch` (timeboxed) then compares.
  * Returns a stable UpdateInfo even on failure (just `available=false`).
  */
 export async function checkForUpdate() {
+    const { channel, branch: remoteBranch } = resolveChannel();
     const branchR = execSafe('git', ['-C', FLEET_REPO, 'rev-parse', '--abbrev-ref', 'HEAD']);
     if (!branchR.ok) {
-        return { available: false, behind: 0, latestSubject: '', branch: '?', error: branchR.stderr };
+        return {
+            available: false, behind: 0, latestSubject: '',
+            branch: '?', remoteBranch, channel,
+            error: branchR.stderr,
+        };
     }
     const branch = branchR.stdout;
     // Fetch quietly, with a short timeout so we never block the TUI launch.
-    const fetchR = execSafe('git', ['-C', FLEET_REPO, 'fetch', '--quiet', 'origin', branch], { timeout: 8_000 });
+    const fetchR = execSafe('git', ['-C', FLEET_REPO, 'fetch', '--quiet', 'origin', remoteBranch], { timeout: 8_000 });
     if (!fetchR.ok) {
-        return { available: false, behind: 0, latestSubject: '', branch, error: 'fetch failed' };
+        return {
+            available: false, behind: 0, latestSubject: '',
+            branch, remoteBranch, channel,
+            error: 'fetch failed',
+        };
     }
-    const countR = execSafe('git', ['-C', FLEET_REPO, 'rev-list', '--count', `HEAD..origin/${branch}`]);
+    const countR = execSafe('git', ['-C', FLEET_REPO, 'rev-list', '--count', `HEAD..origin/${remoteBranch}`]);
     if (!countR.ok) {
-        return { available: false, behind: 0, latestSubject: '', branch, error: countR.stderr };
+        return {
+            available: false, behind: 0, latestSubject: '',
+            branch, remoteBranch, channel,
+            error: countR.stderr,
+        };
     }
     const behind = parseInt(countR.stdout, 10) || 0;
     let latestSubject = '';
     if (behind > 0) {
-        const subR = execSafe('git', ['-C', FLEET_REPO, 'log', '-1', '--pretty=%s', `origin/${branch}`]);
+        const subR = execSafe('git', ['-C', FLEET_REPO, 'log', '-1', '--pretty=%s', `origin/${remoteBranch}`]);
         latestSubject = subR.ok ? subR.stdout : '';
     }
-    return { available: behind > 0, behind, latestSubject, branch };
+    return { available: behind > 0, behind, latestSubject, branch, remoteBranch, channel };
 }
 /**
- * Apply: git pull --ff-only + npm run build. Refuses to run if the working
- * tree is dirty (would clobber uncommitted changes). Returns aggregate output
- * for the toast / TUI to surface.
+ * Apply: git pull --ff-only origin <channel-branch> + npm run build. Refuses
+ * to run if the working tree is dirty (would clobber uncommitted changes).
+ * Returns aggregate output for the toast / TUI to surface.
  */
 export async function applyUpdate() {
+    const { branch: remoteBranch } = resolveChannel();
     const dirty = execSafe('git', ['-C', FLEET_REPO, 'status', '--porcelain']);
     if (dirty.ok && dirty.stdout.length > 0) {
         return {
@@ -57,7 +95,7 @@ export async function applyUpdate() {
         };
     }
     const pre = execSafe('git', ['-C', FLEET_REPO, 'rev-parse', 'HEAD']);
-    const pull = execSafe('git', ['-C', FLEET_REPO, 'pull', '--ff-only'], { timeout: 30_000 });
+    const pull = execSafe('git', ['-C', FLEET_REPO, 'pull', '--ff-only', 'origin', remoteBranch], { timeout: 30_000 });
     if (!pull.ok) {
         return { ok: false, pulled: 0, buildOk: false, output: pull.stderr || pull.stdout };
     }

package/dist/core/testflight/asc.d.ts

@@ -0,0 +1,12 @@
+import type { AscCredentials, TestflightBuild } from './types.js';
+export declare function ascJwt(creds: AscCredentials, now?: number): string;
+interface AscRequestOptions {
+    method?: string;
+    body?: unknown;
+}
+export declare function ascRequest(creds: AscCredentials, path: string, opts?: AscRequestOptions): Promise<unknown>;
+export declare function listBuilds(creds: AscCredentials, ascAppId: string, limit?: number): Promise<TestflightBuild[]>;
+export declare function expireBuild(creds: AscCredentials, buildId: string): Promise<void>;
+export declare function setWhatsNew(creds: AscCredentials, buildId: string, whatsNew: string, locale?: string): Promise<void>;
+export declare function verifyApp(creds: AscCredentials, ascAppId: string): Promise<string>;
+export {};

package/dist/core/testflight/asc.js

@@ -0,0 +1,101 @@
+import { createSign } from 'node:crypto';
+import { FleetError } from '../errors.js';
+const ASC_BASE = 'https://api.appstoreconnect.apple.com';
+function base64url(input) {
+    return Buffer.from(input)
+        .toString('base64')
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=+$/, '');
+}
+// sign a short-lived ES256 jwt for the app store connect api. the lifetime
+// is held well under apple's 20-minute ceiling.
+export function ascJwt(creds, now = Date.now()) {
+    const iat = Math.floor(now / 1000);
+    const header = { alg: 'ES256', kid: creds.keyId, typ: 'JWT' };
+    const payload = { iss: creds.issuerId, iat, exp: iat + 600, aud: 'appstoreconnect-v1' };
+    const signingInput = `${base64url(JSON.stringify(header))}.${base64url(JSON.stringify(payload))}`;
+    const signer = createSign('SHA256');
+    signer.update(signingInput);
+    // apple expects the raw r||s signature (ieee-p1363), not asn.1/der.
+    const signature = signer.sign({ key: creds.privateKey, dsaEncoding: 'ieee-p1363' });
+    return `${signingInput}.${base64url(signature)}`;
+}
+// perform an authenticated app store connect api request. a non-2xx response
+// is surfaced as a FleetError carrying apple's first error detail.
+export async function ascRequest(creds, path, opts = {}) {
+    const res = await fetch(`${ASC_BASE}${path}`, {
+        method: opts.method ?? 'GET',
+        headers: {
+            Authorization: `Bearer ${ascJwt(creds)}`,
+            'Content-Type': 'application/json',
+        },
+        ...(opts.body !== undefined && { body: JSON.stringify(opts.body) }),
+    });
+    if (res.status === 204)
+        return null;
+    const text = await res.text();
+    const json = text ? JSON.parse(text) : null;
+    if (!res.ok) {
+        const detail = json?.errors?.[0]?.detail;
+        throw new FleetError(`App Store Connect API ${res.status}: ${detail ?? text.slice(0, 200)}`);
+    }
+    return json;
+}
+// list builds for an app store connect app, newest upload first.
+export async function listBuilds(creds, ascAppId, limit = 20) {
+    const query = `filter[app]=${encodeURIComponent(ascAppId)}&sort=-uploadedDate` +
+        `&limit=${limit}&include=preReleaseVersion`;
+    const res = (await ascRequest(creds, `/v1/builds?${query}`));
+    const preReleaseVersions = new Map((res.included ?? [])
+        .filter(i => i.type === 'preReleaseVersions')
+        .map(i => [i.id, i.attributes?.version ?? '']));
+    return (res.data ?? []).map(b => ({
+        id: b.id,
+        version: b.attributes?.version ?? '',
+        shortVersion: preReleaseVersions.get(b.relationships?.preReleaseVersion?.data?.id ?? '') ?? '',
+        processingState: b.attributes?.processingState ?? 'UNKNOWN',
+        expired: b.attributes?.expired ?? false,
+        uploadedDate: b.attributes?.uploadedDate ?? '',
+    }));
+}
+// expire a build — the closest the api offers to "delete". an expired build
+// leaves testflight and can no longer be installed by testers.
+export async function expireBuild(creds, buildId) {
+    await ascRequest(creds, `/v1/builds/${buildId}`, {
+        method: 'PATCH',
+        body: { data: { type: 'builds', id: buildId, attributes: { expired: true } } },
+    });
+}
+// set the "what to test" notes for a build, creating the beta localisation
+// when the build has none for the requested locale yet.
+export async function setWhatsNew(creds, buildId, whatsNew, locale = 'en-GB') {
+    const existing = (await ascRequest(creds, `/v1/builds/${buildId}/betaBuildLocalizations`));
+    const match = (existing.data ?? []).find(l => l.attributes?.locale === locale) ??
+        (existing.data ?? [])[0];
+    if (match) {
+        await ascRequest(creds, `/v1/betaBuildLocalizations/${match.id}`, {
+            method: 'PATCH',
+            body: {
+                data: { type: 'betaBuildLocalizations', id: match.id, attributes: { whatsNew } },
+            },
+        });
+        return;
+    }
+    await ascRequest(creds, '/v1/betaBuildLocalizations', {
+        method: 'POST',
+        body: {
+            data: {
+                type: 'betaBuildLocalizations',
+                attributes: { locale, whatsNew },
+                relationships: { build: { data: { type: 'builds', id: buildId } } },
+            },
+        },
+    });
+}
+// fetch an app's name — a cheap call used to verify credentials and the
+// configured app id resolve.
+export async function verifyApp(creds, ascAppId) {
+    const res = (await ascRequest(creds, `/v1/apps/${ascAppId}`));
+    return res.data?.attributes?.name ?? '(unknown)';
+}

package/dist/core/testflight/credentials.d.ts

@@ -0,0 +1,3 @@
+import type { AscCredentials } from './types.js';
+export declare function resolveAscCredentials(env: NodeJS.ProcessEnv): AscCredentials;
+export declare function hasAscCredentials(env: NodeJS.ProcessEnv): boolean;

package/dist/core/testflight/credentials.js

@@ -0,0 +1,35 @@
+import { readFileSync, existsSync } from 'node:fs';
+import { FleetError } from '../errors.js';
+// resolve app store connect api credentials from an environment map. the
+// private key is supplied either inline-base64 (ASC_API_KEY_B64) or as a path
+// to a .p8 file (ASC_API_KEY_PATH) — base64 is preferred so the key lives in
+// the fleet secrets vault rather than as a loose file on disk.
+export function resolveAscCredentials(env) {
+    const keyId = env.ASC_API_KEY_ID;
+    const issuerId = env.ASC_API_KEY_ISSUER_ID;
+    if (!keyId || !issuerId) {
+        throw new FleetError('App Store Connect credentials missing — set ASC_API_KEY_ID and ASC_API_KEY_ISSUER_ID.');
+    }
+    let privateKey;
+    if (env.ASC_API_KEY_B64) {
+        privateKey = Buffer.from(env.ASC_API_KEY_B64, 'base64').toString('utf-8');
+    }
+    else if (env.ASC_API_KEY_PATH && existsSync(env.ASC_API_KEY_PATH)) {
+        privateKey = readFileSync(env.ASC_API_KEY_PATH, 'utf-8');
+    }
+    if (!privateKey || !privateKey.includes('PRIVATE KEY')) {
+        throw new FleetError('App Store Connect private key missing — set ASC_API_KEY_B64 (base64 of the .p8) ' +
+            'or ASC_API_KEY_PATH (path to the .p8 file).');
+    }
+    return { keyId, issuerId, privateKey };
+}
+// true when full app store connect credentials are present in `env`.
+export function hasAscCredentials(env) {
+    try {
+        resolveAscCredentials(env);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}

package/dist/core/testflight/resolve.d.ts

@@ -0,0 +1,6 @@
+export interface TestflightTarget {
+    app: string;
+    projectPath: string;
+}
+export declare function resolveTestflightTarget(target: string): TestflightTarget;
+export declare function appSecretsEnv(app: string): NodeJS.ProcessEnv;

package/dist/core/testflight/resolve.js

@@ -0,0 +1,44 @@
+import { existsSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { load, findApp } from '../registry.js';
+import { FleetError } from '../errors.js';
+const SECRETS_BASE = '/run/fleet-secrets';
+// resolve a registered fleet app to its mobile project directory. testflight
+// targets must be registered apps — the credentials live in the app's vault.
+export function resolveTestflightTarget(target) {
+    const app = findApp(load(), target);
+    if (!app) {
+        throw new FleetError(`Unknown app "${target}" — not in the fleet registry.`);
+    }
+    const mobileDir = join(app.composePath, 'mobile');
+    return {
+        app: app.name,
+        projectPath: existsSync(mobileDir) ? mobileDir : app.composePath,
+    };
+}
+// minimal .env reader for an app's unsealed fleet secrets.
+function readEnvFile(path) {
+    if (!existsSync(path))
+        return {};
+    const vars = {};
+    for (const line of readFileSync(path, 'utf-8').split('\n')) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith('#'))
+            continue;
+        const eq = trimmed.indexOf('=');
+        if (eq < 1)
+            continue;
+        let val = trimmed.slice(eq + 1);
+        if ((val.startsWith('"') && val.endsWith('"')) ||
+            (val.startsWith("'") && val.endsWith("'"))) {
+            val = val.slice(1, -1);
+        }
+        vars[trimmed.slice(0, eq)] = val;
+    }
+    return vars;
+}
+// an app's unsealed fleet secrets layered over the current process env. the
+// vault holds the App Store Connect / Expo credentials testflight needs.
+export function appSecretsEnv(app) {
+    return { ...process.env, ...readEnvFile(join(SECRETS_BASE, app, '.env')) };
+}

package/dist/core/testflight/types.d.ts

@@ -0,0 +1,13 @@
+export interface AscCredentials {
+    keyId: string;
+    issuerId: string;
+    privateKey: string;
+}
+export interface TestflightBuild {
+    id: string;
+    version: string;
+    shortVersion: string;
+    processingState: string;
+    expired: boolean;
+    uploadedDate: string;
+}

package/dist/core/testflight/types.js

@@ -0,0 +1,3 @@
+// shapes for the testflight publishing pipeline. the asc types mirror the
+// json:api responses consumed from the app store connect api.
+export {};

package/dist/core/testflight/workflow.d.ts

@@ -0,0 +1,17 @@
+export declare function ghVersion(): string | null;
+export declare function resolveRepo(projectPath: string): string | null;
+export declare function repoSecrets(repo: string): string[] | null;
+export interface WorkflowDispatch {
+    ok: boolean;
+    message: string;
+}
+export declare function dispatchWorkflow(repo: string, workflow: string, ref?: string): WorkflowDispatch;
+export interface WorkflowRun {
+    databaseId: number;
+    status: string;
+    conclusion: string | null;
+    url: string;
+    createdAt: string;
+}
+export declare function latestRun(repo: string, workflow: string): WorkflowRun | null;
+export declare function watchRun(repo: string, runId: number): number;

package/dist/core/testflight/workflow.js

@@ -0,0 +1,65 @@
+import { execSafe, execLive } from '../exec.js';
+// an ios .ipa can only be built on macos, so `fleet testflight publish`
+// does not build locally — it dispatches the repo's testflight workflow,
+// which runs on a github-hosted macos runner. every operation here is the
+// github cli driving that workflow.
+// version line of the github cli, or null when it isn't installed.
+export function ghVersion() {
+    const res = execSafe('gh', ['--version'], { timeout: 30_000 });
+    if (!res.ok || !res.stdout)
+        return null;
+    return res.stdout.split('\n').map(l => l.trim()).filter(Boolean)[0] ?? null;
+}
+// owner/name of the github repo backing a project directory, or null when
+// the directory is not a github checkout the gh cli recognises.
+export function resolveRepo(projectPath) {
+    const res = execSafe('gh', ['repo', 'view', '--json', 'nameWithOwner', '-q', '.nameWithOwner'], { cwd: projectPath, timeout: 30_000 });
+    if (!res.ok)
+        return null;
+    return res.stdout.trim() || null;
+}
+// names of the actions secrets configured on a repo, or null when they
+// cannot be listed (gh not authenticated, or no access to the repo).
+export function repoSecrets(repo) {
+    const res = execSafe('gh', ['secret', 'list', '--repo', repo], { timeout: 30_000 });
+    if (!res.ok)
+        return null;
+    return res.stdout
+        .split('\n')
+        .map(l => l.trim().split(/\s+/)[0])
+        .filter(Boolean);
+}
+// dispatch the testflight build workflow. `gh workflow run` queues a
+// workflow_dispatch event and returns no run id, so the caller resolves the
+// resulting run separately via latestRun.
+export function dispatchWorkflow(repo, workflow, ref) {
+    const args = ['workflow', 'run', workflow, '--repo', repo];
+    if (ref)
+        args.push('--ref', ref);
+    const res = execSafe('gh', args, { timeout: 60_000 });
+    return {
+        ok: res.ok,
+        message: (res.ok ? res.stdout : res.stderr).trim() || (res.ok ? 'dispatched' : 'dispatch failed'),
+    };
+}
+// the most recent run of a workflow, or null when it has never run.
+export function latestRun(repo, workflow) {
+    const res = execSafe('gh', [
+        'run', 'list', '--repo', repo, '--workflow', workflow,
+        '--limit', '1', '--json', 'databaseId,status,conclusion,url,createdAt',
+    ], { timeout: 30_000 });
+    if (!res.ok || !res.stdout)
+        return null;
+    try {
+        const runs = JSON.parse(res.stdout);
+        return runs[0] ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+// stream a workflow run to completion, inheriting stdio so progress shows
+// live. returns the exit code — non-zero when the run failed.
+export function watchRun(repo, runId) {
+    return execLive('gh', ['run', 'watch', String(runId), '--repo', repo, '--exit-status']);
+}

package/dist/core/validate.d.ts

@@ -4,4 +4,5 @@ export declare function assertDomain(domain: string): void;
 export declare function assertBranch(branch: string): void;
 export declare function assertHealthPath(path: string): void;
 export declare function assertFilePath(path: string): void;
+export declare function assertComposeFile(name: string): void;
 export declare function assertSecretKey(key: string): void;

package/dist/core/validate.js

@@ -5,6 +5,11 @@ const HEALTH_PATH_RE = /^\/[a-zA-Z0-9/_.-]*$/;
 const SERVICE_NAME_RE = /^[a-zA-Z0-9][a-zA-Z0-9@._-]*$/;
 // Secret keys must be valid env var names (alphanumeric + underscore, no leading digit)
 const SECRET_KEY_RE = /^[a-zA-Z_][a-zA-Z0-9_]*$/;
+// Compose filenames must be a bare filename (no path separators) ending in
+// .yml or .yaml. The value is interpolated into systemd ExecStart directives,
+// so it must not contain quotes, spaces, newlines, or any shell-meaningful
+// character that would let an attacker inject extra `-f` flags or commands.
+const COMPOSE_FILE_RE = /^[A-Za-z0-9_.-]+\.ya?ml$/;
 function assert(value, label, pattern) {
     if (!pattern.test(value)) {
         throw new Error(`Invalid ${label}: "${value}" does not match ${pattern}`);
@@ -37,6 +42,9 @@ export function assertHealthPath(path) {
 export function assertFilePath(path) {
     assertNoTraversal(path, 'file path');
 }
+export function assertComposeFile(name) {
+    assert(name, 'compose filename', COMPOSE_FILE_RE);
+}
 export function assertSecretKey(key) {
     assert(key, 'secret key', SECRET_KEY_RE);
 }

package/dist/mcp/audit-tools.d.ts

@@ -0,0 +1,2 @@
+import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+export declare function registerAuditTools(server: McpServer): void;

package/dist/mcp/audit-tools.js

@@ -0,0 +1,94 @@
+import { existsSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { z } from 'zod';
+import { findGreenlight, runPreflight, runGuidelines } from '../core/audit/greenlight.js';
+import { resolveAuditTarget } from '../core/audit/target.js';
+import { loadAuditCache, saveAuditRecord } from '../core/audit/cache.js';
+import { loadAuditConfig, saveAuditConfig } from '../core/audit/config.js';
+import { applySuppressions } from '../core/audit/suppress.js';
+function text(msg) {
+    return { content: [{ type: 'text', text: msg }] };
+}
+const INSTALL_NOTE = 'greenlight binary not found. Install it with: ' +
+    'go install github.com/RevylAI/greenlight/cmd/greenlight@latest ' +
+    '(or set GREENLIGHT_BIN to an absolute path).';
+export function registerAuditTools(server) {
+    server.tool('fleet_audit_run', 'Run an App Store compliance audit on a mobile app project via greenlight preflight. ' +
+        'Scans source code, the privacy manifest, and metadata for Apple App Store rejection ' +
+        'risks. Target is a registered fleet app name or a path to a mobile project directory. ' +
+        'Returns the full report (findings grouped by CRITICAL/WARN/INFO plus a pass/fail summary).', {
+        target: z.string().describe('Registered app name or path to a mobile project directory'),
+        ipaPath: z.string().optional().describe('Optional path to a built .ipa for binary inspection'),
+    }, async ({ target, ipaPath }) => {
+        if (!findGreenlight())
+            return text(INSTALL_NOTE);
+        const { target: resolved, projectPath } = resolveAuditTarget(target);
+        let ipa;
+        if (ipaPath) {
+            ipa = resolve(ipaPath);
+            if (!existsSync(ipa))
+                return text(`IPA file not found: ${ipa}`);
+        }
+        const raw = runPreflight(projectPath, { ipaPath: ipa });
+        const { report, suppressed } = applySuppressions(raw, resolved, loadAuditConfig().ignore);
+        const record = {
+            target: resolved,
+            projectPath,
+            ...(ipa && { ipaPath: ipa }),
+            ranAt: new Date().toISOString(),
+            report,
+        };
+        saveAuditRecord(record);
+        return text(JSON.stringify({ ...record, suppressed }, null, 2));
+    });
+    server.tool('fleet_audit_status', 'Show the most recent App Store audit results from cache without re-running a scan. ' +
+        'Returns cached audit records (summary plus findings). Use as a cheap first pass before ' +
+        'fleet_audit_run.', { target: z.string().optional().describe('App name or path (omit for all cached audits)') }, async ({ target }) => {
+        const cache = loadAuditCache();
+        const all = Object.values(cache.audits);
+        if (all.length === 0)
+            return text('No audits cached. Run fleet_audit_run first.');
+        if (target) {
+            const rec = cache.audits[target] ?? all.find(a => a.projectPath === resolve(target));
+            if (!rec)
+                return text(`No cached audit for "${target}". Run fleet_audit_run.`);
+            return text(JSON.stringify(rec, null, 2));
+        }
+        return text(JSON.stringify(all, null, 2));
+    });
+    server.tool('fleet_audit_ignore', 'Suppress a confirmed greenlight false positive from future audits. The finding is ' +
+        'matched by its exact title, optionally narrowed to a target and to findings whose file ' +
+        'or code contains a substring. Every rule must carry a reason. Suppressed findings are ' +
+        'dropped and the pass/fail summary is recomputed on subsequent fleet_audit_run calls.', {
+        title: z.string().describe('Exact greenlight finding title to suppress'),
+        reason: z.string().describe('Why this finding is a false positive'),
+        target: z.string().optional().describe('Limit the rule to one audit target'),
+        contains: z.string().optional().describe('Only suppress findings whose file/code contains this substring'),
+    }, async ({ title, reason, target, contains }) => {
+        const config = loadAuditConfig();
+        config.ignore.push({
+            ...(target && { target }),
+            title,
+            ...(contains && { contains }),
+            reason,
+            addedAt: new Date().toISOString(),
+        });
+        saveAuditConfig(config);
+        return text(`Ignoring "${title}"${target ? ` for ${target}` : ''}: ${reason}`);
+    });
+    server.tool('fleet_audit_guidelines', 'Look up Apple App Store Review Guidelines via greenlight. action "list" returns all ' +
+        'sections, "show" returns one section (query is a section number like "2.1"), "search" ' +
+        'matches a keyword (query is the term). Use to interpret a finding\'s guideline reference ' +
+        'or to guide a fix.', {
+        action: z.enum(['list', 'show', 'search']).describe('list, show, or search'),
+        query: z.string().optional().describe('Section number for show (e.g. "2.1") or keyword for search'),
+    }, async ({ action, query }) => {
+        if (!findGreenlight())
+            return text(INSTALL_NOTE);
+        if ((action === 'show' || action === 'search') && !query) {
+            return text(`'${action}' requires a query argument`);
+        }
+        const args = action === 'list' ? ['list'] : [action, query];
+        return text(runGuidelines(args));
+    });
+}

package/dist/mcp/git-tools.js

@@ -49,7 +49,7 @@ export function registerGitTools(server) {
             const plan = describeOnboardPlan(scenario, app.name, status);
             return text(`Scenario: ${scenario}\nRoot: ${root}\n\nPlan:\n${plan.map((s, i) => `${i + 1}. ${s}`).join('\n')}`);
         }
-        const result = executeOnboard(scenario, root, app.name, app.name, status);
+        const result = await executeOnboard(scenario, root, app.name, app.name, status);
         return text(`Onboarded ${app.name} (${result.scenario})\n\nSteps:\n${result.steps.map(s => `- ${s}`).join('\n')}\n\nRepo: ${result.repoUrl}`);
     });
     server.tool('fleet_git_branch', 'Create a feature branch from develop (or other base) and push it', {

package/dist/mcp/registry-bridge.d.ts

@@ -0,0 +1,10 @@
+import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+export interface BridgeTool {
+    toolName: string;
+    summary: string;
+    cliOnly?: boolean;
+}
+/** registry commands as flat tool descriptors, for inspection and tests. */
+export declare function collectRegistryTools(): BridgeTool[];
+/** registers every non-cliOnly registry command as an mcp tool. */
+export declare function registerRegistryTools(server: McpServer): void;