@matthesketh/fleet 1.8.1 → 1.11.1

package/dist/templates/agent-unit.js

@@ -0,0 +1,40 @@
+/** build the templated systemd unit for fleet-secrets-agent@%i.service.
+ *  the vault path comes from the caller — production code passes whatever
+ *  FLEET_VAULT_DIR or the repo-local default resolves to, so this template
+ *  never carries an operator-specific assumption. */
+export function generateAgentUnit(vaultPath) {
+    return [
+        '[Unit]',
+        'Description=Fleet Secrets Agent for %i',
+        'After=network.target',
+        'PartOf=docker-%i.service',
+        '',
+        '[Service]',
+        'Type=notify',
+        'DynamicUser=yes',
+        'RuntimeDirectory=fleet-secrets',
+        'RuntimeDirectoryPreserve=yes',
+        'LoadCredentialEncrypted=age-key:/etc/fleet/credentials/%i.cred',
+        `ExecStart=/usr/local/bin/fleet-agent --app %i --vault ${vaultPath} --socket /run/fleet-secrets/%i.sock`,
+        'Restart=on-failure',
+        'RestartSec=2',
+        '',
+        '# hardening',
+        'ProtectSystem=strict',
+        'ProtectHome=read-only',
+        `ReadOnlyPaths=${vaultPath}`,
+        'PrivateTmp=yes',
+        'NoNewPrivileges=yes',
+        'ProtectKernelTunables=yes',
+        'ProtectKernelModules=yes',
+        'ProtectControlGroups=yes',
+        'RestrictAddressFamilies=AF_UNIX',
+        'RestrictNamespaces=yes',
+        'SystemCallFilter=@system-service',
+        'SystemCallFilter=~@privileged @resources @mount',
+        '',
+        '[Install]',
+        'WantedBy=multi-user.target',
+        '',
+    ].join('\n');
+}

package/dist/templates/app-unit-edit.d.ts

@@ -0,0 +1,2 @@
+export declare function addAgentDependency(content: string, app: string): string;
+export declare function removeAgentDependency(content: string, app: string): string;

package/dist/templates/app-unit-edit.js

@@ -0,0 +1,46 @@
+function findUnitSection(content) {
+    const lines = content.split('\n');
+    let start = -1;
+    let end = -1;
+    for (let i = 0; i < lines.length; i++) {
+        if (lines[i].trim() === '[Unit]') {
+            start = i;
+            continue;
+        }
+        if (start >= 0 && lines[i].startsWith('[') && lines[i].endsWith(']')) {
+            end = i;
+            break;
+        }
+    }
+    if (start < 0)
+        throw new Error('no [Unit] section found');
+    if (end < 0)
+        end = lines.length;
+    return { start, end };
+}
+export function addAgentDependency(content, app) {
+    const lines = content.split('\n');
+    const requires = `Requires=fleet-secrets-agent@${app}.service`;
+    const after = `After=fleet-secrets-agent@${app}.service`;
+    if (lines.includes(requires) && lines.includes(after))
+        return content;
+    const section = findUnitSection(content);
+    let insertAt = section.end;
+    while (insertAt > section.start + 1 && lines[insertAt - 1].trim() === '')
+        insertAt--;
+    const toInsert = [];
+    if (!lines.includes(requires))
+        toInsert.push(requires);
+    if (!lines.includes(after))
+        toInsert.push(after);
+    lines.splice(insertAt, 0, ...toInsert);
+    return lines.join('\n');
+}
+export function removeAgentDependency(content, app) {
+    const requires = `Requires=fleet-secrets-agent@${app}.service`;
+    const after = `After=fleet-secrets-agent@${app}.service`;
+    return content
+        .split('\n')
+        .filter(l => l !== requires && l !== after)
+        .join('\n');
+}

package/dist/templates/compose-edit.d.ts

@@ -0,0 +1,2 @@
+export declare function migrateComposeToV2(yamlContent: string, app: string, service: string): string;
+export declare function revertComposeFromV2(yamlContent: string, app: string, service: string): string;

package/dist/templates/compose-edit.js

@@ -0,0 +1,156 @@
+import { parseDocument, Scalar, isMap, isSeq, isScalar } from 'yaml';
+const FLEET_ENV_KEY = 'FLEET_SECRETS_SOCKET';
+const FLEET_ENV_VAL = '/run/fleet.sock';
+function v1EnvFile(app) {
+    return `/run/fleet-secrets/${app}/.env`;
+}
+function v2SocketMount(app) {
+    return `/run/fleet-secrets/${app}.sock:/run/fleet.sock:ro`;
+}
+function getService(doc, service) {
+    const svc = doc.getIn(['services', service], true);
+    if (!svc || !isMap(svc)) {
+        throw new Error(`service '${service}' not found in compose file`);
+    }
+    return svc;
+}
+function removeEnvFileEntry(svc, app) {
+    const v1Path = v1EnvFile(app);
+    const raw = svc.get('env_file', true);
+    if (raw === undefined || raw === null)
+        return;
+    if (isScalar(raw)) {
+        if (raw.value === v1Path) {
+            svc.delete('env_file');
+        }
+        return;
+    }
+    if (isSeq(raw)) {
+        const seq = raw;
+        const idx = seq.items.findIndex(item => isScalar(item) && item.value === v1Path);
+        if (idx !== -1) {
+            seq.items.splice(idx, 1);
+        }
+        if (seq.items.length === 0) {
+            svc.delete('env_file');
+        }
+        return;
+    }
+    if (typeof raw === 'string' && raw === v1Path) {
+        svc.delete('env_file');
+    }
+}
+function ensureEnvVar(svc) {
+    const envRaw = svc.get('environment', true);
+    if (!envRaw) {
+        svc.set('environment', { [FLEET_ENV_KEY]: FLEET_ENV_VAL });
+        return;
+    }
+    if (isMap(envRaw)) {
+        const env = envRaw;
+        if (!env.has(FLEET_ENV_KEY)) {
+            env.set(FLEET_ENV_KEY, FLEET_ENV_VAL);
+        }
+        return;
+    }
+    if (isSeq(envRaw)) {
+        const seq = envRaw;
+        const kvPrefix = `${FLEET_ENV_KEY}=`;
+        const already = seq.items.some(item => isScalar(item) && typeof item.value === 'string' && item.value.startsWith(kvPrefix));
+        if (!already) {
+            seq.add(`${FLEET_ENV_KEY}=${FLEET_ENV_VAL}`);
+        }
+        return;
+    }
+}
+function removeEnvVar(svc) {
+    const envRaw = svc.get('environment', true);
+    if (!envRaw)
+        return;
+    if (isMap(envRaw)) {
+        const env = envRaw;
+        env.delete(FLEET_ENV_KEY);
+        if (env.items.length === 0) {
+            svc.delete('environment');
+        }
+        return;
+    }
+    if (isSeq(envRaw)) {
+        const seq = envRaw;
+        const kvPrefix = `${FLEET_ENV_KEY}=`;
+        const idx = seq.items.findIndex(item => isScalar(item) && typeof item.value === 'string' && item.value.startsWith(kvPrefix));
+        if (idx !== -1) {
+            seq.items.splice(idx, 1);
+        }
+        if (seq.items.length === 0) {
+            svc.delete('environment');
+        }
+    }
+}
+function ensureSocketMount(svc, app) {
+    const mount = v2SocketMount(app);
+    const volRaw = svc.get('volumes', true);
+    if (!volRaw) {
+        svc.set('volumes', [mount]);
+        return;
+    }
+    if (isSeq(volRaw)) {
+        const seq = volRaw;
+        const already = seq.items.some(item => isScalar(item) && item.value === mount);
+        if (!already) {
+            seq.add(mount);
+        }
+        return;
+    }
+}
+function removeSocketMount(svc, app) {
+    const mount = v2SocketMount(app);
+    const volRaw = svc.get('volumes', true);
+    if (!volRaw || !isSeq(volRaw))
+        return;
+    const seq = volRaw;
+    const idx = seq.items.findIndex(item => isScalar(item) && item.value === mount);
+    if (idx !== -1) {
+        seq.items.splice(idx, 1);
+    }
+    if (seq.items.length === 0) {
+        svc.delete('volumes');
+    }
+}
+function restoreEnvFile(svc, app) {
+    const v1Path = v1EnvFile(app);
+    const raw = svc.get('env_file', true);
+    if (!raw) {
+        svc.set('env_file', v1Path);
+        return;
+    }
+    if (isScalar(raw)) {
+        if (raw.value !== v1Path) {
+            svc.set('env_file', v1Path);
+        }
+        return;
+    }
+    if (isSeq(raw)) {
+        const seq = raw;
+        const already = seq.items.some(item => isScalar(item) && item.value === v1Path);
+        if (!already) {
+            seq.items.unshift(new Scalar(v1Path));
+        }
+    }
+}
+export function migrateComposeToV2(yamlContent, app, service) {
+    const doc = parseDocument(yamlContent);
+    const svc = getService(doc, service);
+    removeEnvFileEntry(svc, app);
+    ensureEnvVar(svc);
+    ensureSocketMount(svc, app);
+    return doc.toString();
+}
+export function revertComposeFromV2(yamlContent, app, service) {
+    const doc = parseDocument(yamlContent);
+    const svc = getService(doc, service);
+    removeSocketMount(svc, app);
+    removeEnvVar(svc);
+    restoreEnvFile(svc, app);
+    return doc.toString();
+}

package/dist/templates/nginx.js

@@ -1,4 +1,15 @@
+import { assertDomain, assertHealthPath } from '../core/validate.js';
 export function generateNginxConfig(opts) {
+    // defence-in-depth: callers are expected to validate already, but a
+    // missed call must not produce a config that injects directives via
+    // ${domain} (server_name interpolation) or ${port} (proxy_pass).
+    // mirrors the assertComposeFile pattern in src/templates/systemd.ts.
+    assertDomain(opts.domain);
+    if (!Number.isInteger(opts.port) || opts.port < 1 || opts.port > 65535) {
+        throw new Error(`invalid port: ${opts.port}`);
+    }
+    if (opts.apiPrefix !== undefined)
+        assertHealthPath(opts.apiPrefix);
     const { domain, port, type } = opts;
     const apiPrefix = opts.apiPrefix ?? '/api';
     const securityHeaders = `    add_header X-Content-Type-Options "nosniff" always;

package/dist/templates/systemd.js

@@ -1,4 +1,10 @@
+import { assertComposeFile } from '../core/validate.js';
 export function generateServiceFile(opts) {
+    // Defence-in-depth: even if a caller skipped upstream validation, refuse to
+    // emit a unit file with a composeFile value that could break out of the
+    // quoted -f argument and inject extra docker-compose flags or shell.
+    if (opts.composeFile)
+        assertComposeFile(opts.composeFile);
     const fileFlag = opts.composeFile ? ` -f "${opts.composeFile}"` : '';
     const dbDep = opts.dependsOnDatabases ? ' docker-databases.service' : '';
     return `[Unit]

package/dist/tui/components/ArgForm.d.ts

@@ -0,0 +1,7 @@
+import React from 'react';
+import { z } from 'zod';
+export declare function ArgForm(props: {
+    schema: z.ZodObject<z.ZodRawShape>;
+    onSubmit: (values: Record<string, unknown>) => void;
+    onCancel: () => void;
+}): React.JSX.Element;

package/dist/tui/components/ArgForm.js

@@ -0,0 +1,64 @@
+import { jsxs as _jsxs, jsx as _jsx } from "react/jsx-runtime";
+import { useState } from 'react';
+import { Box, Text } from 'ink';
+import { z } from 'zod';
+import { useRegisterHandler } from '@matthesketh/ink-input-dispatcher';
+import { colors } from '../theme.js';
+function describeField(name, schema) {
+    let s = schema;
+    while (s instanceof z.ZodOptional || s instanceof z.ZodDefault) {
+        s = s._def.innerType;
+    }
+    if (s instanceof z.ZodBoolean)
+        return { name, kind: 'boolean' };
+    if (s instanceof z.ZodNumber)
+        return { name, kind: 'number' };
+    if (s instanceof z.ZodEnum)
+        return { name, kind: 'enum', options: s._def.values };
+    return { name, kind: 'string' };
+}
+export function ArgForm(props) {
+    const fields = Object.entries(props.schema.shape).map(([n, s]) => describeField(n, s));
+    const [cursor, setCursor] = useState(0);
+    const [values, setValues] = useState(() => Object.fromEntries(fields.map(f => [f.name, f.kind === 'boolean' ? false : ''])));
+    const handler = (input, key) => {
+        if (key.escape) {
+            props.onCancel();
+            return true;
+        }
+        if (key.return) {
+            props.onSubmit(values);
+            return true;
+        }
+        if (key.downArrow) {
+            setCursor(c => Math.min(c + 1, fields.length - 1));
+            return true;
+        }
+        if (key.upArrow) {
+            setCursor(c => Math.max(c - 1, 0));
+            return true;
+        }
+        const field = fields[cursor];
+        if (!field)
+            return false;
+        if (field.kind === 'boolean') {
+            if (input === ' ') {
+                setValues(v => ({ ...v, [field.name]: !v[field.name] }));
+                return true;
+            }
+        }
+        else if (key.backspace || key.delete) {
+            setValues(v => ({ ...v, [field.name]: String(v[field.name] ?? '').slice(0, -1) }));
+            return true;
+        }
+        else if (input && !key.ctrl && !key.meta) {
+            setValues(v => ({ ...v, [field.name]: String(v[field.name] ?? '') + input }));
+            return true;
+        }
+        return false;
+    };
+    useRegisterHandler(handler);
+    return (_jsxs(Box, { flexDirection: "column", children: [fields.map((f, i) => (_jsxs(Box, { children: [_jsxs(Text, { color: i === cursor ? colors.primary : colors.muted, children: [i === cursor ? '> ' : '  ', f.name, ":", ' '] }), _jsx(Text, { children: f.kind === 'boolean'
+                            ? (values[f.name] ? '[x]' : '[ ]')
+                            : String(values[f.name] ?? '') })] }, f.name))), _jsx(Box, { marginTop: 1, children: _jsx(Text, { color: colors.muted, children: "\u2191\u2193 field \u00B7 space toggle \u00B7 enter run \u00B7 esc cancel" }) })] }));
+}

package/dist/tui/components/ArgForm.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/tui/components/ArgForm.test.js

@@ -0,0 +1,19 @@
+import { jsx as _jsx } from "react/jsx-runtime";
+import { render } from 'ink-testing-library';
+import { describe, it, expect } from 'vitest';
+import { z } from 'zod';
+import { ArgForm } from './ArgForm.js';
+describe('ArgForm', () => {
+    it('renders one labelled field per schema property', () => {
+        const schema = z.object({ app: z.string(), force: z.boolean().default(false) });
+        const { lastFrame } = render(_jsx(ArgForm, { schema: schema, onSubmit: () => { }, onCancel: () => { } }));
+        const frame = lastFrame() ?? '';
+        expect(frame).toContain('app');
+        expect(frame).toContain('force');
+    });
+    it('shows a toggle hint for boolean fields', () => {
+        const schema = z.object({ force: z.boolean().default(false) });
+        const { lastFrame } = render(_jsx(ArgForm, { schema: schema, onSubmit: () => { }, onCancel: () => { } }));
+        expect(lastFrame() ?? '').toMatch(/false|off|\[ \]/i);
+    });
+});

package/dist/tui/components/KeyHint.js

@@ -54,6 +54,11 @@ const viewHints = {
         { key: 'L', label: 'level' },
         { key: 'q', label: 'quit' },
     ],
+    'command-palette': [
+        { key: '↑/↓', label: 'navigate' },
+        { key: 'Enter', label: 'run' },
+        { key: 'Esc', label: 'close' },
+    ],
 };
 export function KeyHint() {
     const { currentView, confirmAction } = useAppState();

package/dist/tui/hooks/use-secrets.d.ts

@@ -20,28 +20,28 @@ interface SecretsState {
 interface SecretsActions {
     refresh: () => void;
     loadAppSecrets: (app: string) => void;
-    saveSecret: (app: string, key: string, value: string) => {
+    saveSecret: (app: string, key: string, value: string) => Promise<{
         ok: boolean;
         error?: string;
-    };
-    deleteSecret: (app: string, key: string) => {
+    }>;
+    deleteSecret: (app: string, key: string) => Promise<{
         ok: boolean;
         error?: string;
-    };
+    }>;
     revealSecret: (app: string, key: string) => void;
     hideSecret: (key: string) => void;
     unseal: () => {
         ok: boolean;
         error?: string;
     };
-    seal: () => {
+    seal: () => Promise<{
         ok: boolean;
         error?: string;
-    };
-    importEnv: (app: string, path: string) => {
+    }>;
+    importEnv: (app: string, path: string) => Promise<{
         ok: boolean;
         error?: string;
-    };
+    }>;
 }
 export declare function useSecrets(): SecretsState & SecretsActions;
 export {};

package/dist/tui/hooks/use-secrets.js

@@ -48,9 +48,9 @@ export function useSecrets() {
             }));
         }
     }, []);
-    const saveSecret = useCallback((app, key, value) => {
+    const saveSecret = useCallback(async (app, key, value) => {
         try {
-            setSecret(app, key, value);
+            await setSecret(app, key, value);
             // Re-unseal to update runtime
             try {
                 unsealAll();
@@ -62,7 +62,7 @@ export function useSecrets() {
             return { ok: false, error: err instanceof Error ? err.message : 'Failed to save secret' };
         }
     }, []);
-    const deleteSecret = useCallback((app, key) => {
+    const deleteSecret = useCallback(async (app, key) => {
         try {
             const plaintext = decryptApp(app);
             const manifest = loadManifest();
@@ -114,9 +114,9 @@ export function useSecrets() {
             return { ok: false, error: err instanceof Error ? err.message : 'Failed to unseal' };
         }
     }, []);
-    const seal = useCallback(() => {
+    const seal = useCallback(async () => {
         try {
-            sealFromRuntime();
+            await sealFromRuntime();
             setState(prev => ({ ...prev, sealed: true }));
             return { ok: true };
         }
@@ -124,9 +124,9 @@ export function useSecrets() {
             return { ok: false, error: err instanceof Error ? err.message : 'Failed to seal' };
         }
     }, []);
-    const importEnv = useCallback((app, path) => {
+    const importEnv = useCallback(async (app, path) => {
         try {
-            importEnvFile(app, path);
+            await importEnvFile(app, path);
             try {
                 unsealAll();
             }

package/dist/tui/router.d.ts

@@ -1,2 +1,3 @@
 import React from 'react';
+export declare function ViewRouter(): React.JSX.Element;
 export declare function App(): React.JSX.Element;

package/dist/tui/router.js

@@ -17,6 +17,7 @@ import { SecretsView } from './views/SecretsView.js';
 import { SecretEdit } from './views/SecretEdit.js';
 import { HealthView } from './views/HealthView.js';
 import { LogsView } from './views/LogsView.js';
+import { CommandPalette } from './views/CommandPalette.js';
 import { isSealed, isInitialized } from '../core/secrets.js';
 const HELP_GROUPS = [
     {
@@ -47,8 +48,9 @@ const HELP_GROUPS = [
         ],
     },
 ];
-function ViewRouter() {
+export function ViewRouter() {
     const state = React.useContext(AppStateContext);
+    const dispatch = React.useContext(AppDispatchContext);
     switch (state.currentView) {
         case 'dashboard':
             return _jsx(Dashboard, {});
@@ -62,6 +64,8 @@ function ViewRouter() {
             return _jsx(SecretEdit, {});
         case 'logs':
             return _jsx(LogsView, {});
+        case 'command-palette':
+            return (_jsx(CommandPalette, { onClose: () => dispatch({ type: 'GO_BACK' }), onOpenView: view => dispatch({ type: 'NAVIGATE', view: view }) }));
         default:
             return _jsx(Dashboard, {});
     }
@@ -75,7 +79,10 @@ function UpdateBanner({ info, inProgress }) {
     }
     const ahead = info.behind;
     const subject = info.latestSubject ? ` — ${info.latestSubject}` : '';
-    return (_jsx(Box, { paddingX: 1, children: _jsxs(Box, { borderStyle: "round", borderColor: "cyan", paddingX: 1, children: [_jsxs(Text, { color: "cyan", children: ["\u2191 Update available: ", ahead, " commit", ahead === 1 ? '' : 's', " ahead", subject, ". Press "] }), _jsx(Text, { color: "cyan", bold: true, children: "U" }), _jsx(Text, { color: "cyan", children: " to install." })] }) }));
+    // channel label only surfaces on prerelease so the stable case stays
+    // visually identical to what operators have seen for several releases.
+    const channelLabel = info.channel === 'prerelease' ? ' (prerelease)' : '';
+    return (_jsx(Box, { paddingX: 1, children: _jsxs(Box, { borderStyle: "round", borderColor: "cyan", paddingX: 1, children: [_jsxs(Text, { color: "cyan", children: ["\u2191 Update available", channelLabel, ": ", ahead, " commit", ahead === 1 ? '' : 's', " ahead", subject, ". Press "] }), _jsx(Text, { color: "cyan", bold: true, children: "U" }), _jsx(Text, { color: "cyan", children: " to install." })] }) }));
 }
 export function App() {
     const [state, dispatch] = useReducer(reducer, initialState);
@@ -141,27 +148,37 @@ export function App() {
             }
             return true;
         }
-        if (input === '?' && state.currentView !== 'secret-edit') {
+        // command-palette and secret-edit capture raw text input — the global
+        // single-key shortcuts must not fire while either is open.
+        const isInputView = state.currentView === 'secret-edit' || state.currentView === 'command-palette';
+        if (input === '?' && !isInputView) {
             setShowHelp(true);
             return true;
         }
-        if (input === 'q' && state.currentView !== 'secret-edit') {
+        if (input === ':' && !isInputView) {
+            dispatch({ type: 'NAVIGATE', view: 'command-palette' });
+            return true;
+        }
+        if (input === 'q' && !isInputView) {
             process.exit(0);
             return true;
         }
-        if (input === 'x' && state.currentView !== 'secret-edit') {
+        if (input === 'x' && !isInputView) {
             dispatch({ type: 'TOGGLE_REDACT' });
             return true;
         }
         // U → apply pending update. Only fires when one is actually available.
-        if ((input === 'U' || input === 'u') && state.currentView !== 'secret-edit') {
+        if ((input === 'U' || input === 'u') && !isInputView) {
             const info = updateInfoRef.current;
             if (info?.available && !updateInProgressRef.current) {
                 setUpdateInProgress(true);
                 applyUpdate().then(result => {
                     setUpdateInProgress(false);
                     if (result.ok) {
-                        setUpdateInfo({ available: false, behind: 0, latestSubject: '', branch: info.branch });
+                        setUpdateInfo({
+                            available: false, behind: 0, latestSubject: '',
+                            branch: info.branch, remoteBranch: info.remoteBranch, channel: info.channel,
+                        });
                     }
                     // Result reported via UpdateBanner below.
                     App.__lastUpdateOutput = result.output;
@@ -172,7 +189,7 @@ export function App() {
                 return true;
             }
         }
-        if (key.tab) {
+        if (key.tab && state.currentView !== 'command-palette') {
             const topViews = ['dashboard', 'health', 'secrets', 'logs-multi'];
             const base = topViews.includes(state.currentView)
                 ? state.currentView
@@ -180,7 +197,7 @@ export function App() {
             dispatch({ type: 'NAVIGATE', view: nextTopView(base) });
             return true;
         }
-        if (key.escape && state.previousView) {
+        if (key.escape && state.previousView && state.currentView !== 'command-palette') {
             dispatch({ type: 'GO_BACK' });
             return true;
         }

package/dist/tui/router.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/tui/router.test.js

@@ -0,0 +1,13 @@
+import { jsx as _jsx } from "react/jsx-runtime";
+import { render } from 'ink-testing-library';
+import { describe, it, expect } from 'vitest';
+import { InputDispatcher } from '@matthesketh/ink-input-dispatcher';
+import { ViewRouter } from './router.js';
+import { AppStateContext, AppDispatchContext, initialState } from './state.js';
+describe('command palette routing', () => {
+    it('renders the command palette for the command-palette view', async () => {
+        const { lastFrame } = render(_jsx(InputDispatcher, { globalHandler: () => false, children: _jsx(AppStateContext.Provider, { value: { ...initialState, currentView: 'command-palette' }, children: _jsx(AppDispatchContext.Provider, { value: () => { }, children: _jsx(ViewRouter, {}) }) }) }));
+        await new Promise(r => setTimeout(r, 30));
+        expect(lastFrame() ?? '').toContain('Command palette');
+    });
+});

package/dist/tui/routines/components/SignalsGrid.test.js

@@ -21,9 +21,9 @@ describe('SignalsGrid', () => {
         expect(frame).toContain('CI');
     });
     it('renders a row with repo name when signals present', () => {
-        const rows = [{ repo: 'abmanandvan', signals: [mkSignal('git-clean', 'ok')] }];
+        const rows = [{ repo: 'movers-co', signals: [mkSignal('git-clean', 'ok')] }];
         const { lastFrame } = render(_jsx(SignalsGrid, { rows: rows, selectedIndex: 0, kinds: ['git-clean'] }));
-        expect(lastFrame()).toContain('abmanandvan');
+        expect(lastFrame()).toContain('movers-co');
     });
     it('shows empty-state message with no repos', () => {
         const { lastFrame } = render(_jsx(SignalsGrid, { rows: [], selectedIndex: 0, kinds: ['git-clean'] }));

package/dist/tui/routines/tabs/ScaffoldTab.js

@@ -69,7 +69,7 @@ function buildPlan(draft) {
 export function ScaffoldTab() {
     const [draft, setDraft] = useState({
         name: '',
-        composePath: '/home/matt/',
+        composePath: '/home/operator/',
         port: '3000',
         domain: '',
         usesSharedDb: true,

package/dist/tui/tests/redaction-rerender.test.d.ts

@@ -0,0 +1 @@
+export {};