@matthesketh/fleet 1.8.1 → 1.11.1

package/dist/commands/patch-systemd.js

@@ -1,12 +1,11 @@
 import { copyFileSync, existsSync, renameSync, writeFileSync } from 'node:fs';
+import { z } from 'zod';
 import { load } from '../core/registry.js';
 import { readServiceFile } from '../core/systemd.js';
 import { execSafe } from '../core/exec.js';
-import { success, warn, info, error } from '../ui/output.js';
+import { defineCommand } from '../registry/registry.js';
 const SERVICE_DIR = '/etc/systemd/system';
-export function patchSystemdCommand(args) {
-    if (args.includes('--rollback'))
-        return rollback();
+function runPatch(ctx) {
     const reg = load();
     const dbServiceName = reg.infrastructure.databases.serviceName;
     const appServiceNames = reg.apps.map(a => a.serviceName);
@@ -20,20 +19,20 @@ export function patchSystemdCommand(args) {
     }
     targetMap.set(dbServiceName, { name: dbServiceName, rewriteExecStart: false });
     const targets = Array.from(targetMap.values());
-    info(`Patching ${targets.length} service(s)...`);
+    ctx.log({ level: 'info', message: `patching ${targets.length} service(s)...` });
     let patched = 0;
     let skipped = 0;
     for (const { name, rewriteExecStart } of targets) {
         const path = `${SERVICE_DIR}/${name}.service`;
         const content = readServiceFile(name);
         if (content === null) {
-            warn(`${name}: no service file found, skipping`);
+            ctx.log({ level: 'warn', message: `${name}: no service file found, skipping` });
             skipped++;
             continue;
         }
         let updated = content;
         let changed = false;
-        // Existing behavior: add StartLimitBurst if missing (applies to ALL services including databases)
+        // existing behaviour: add StartLimitBurst if missing (applies to ALL services including databases)
         if (!updated.includes('StartLimitBurst=')) {
             updated = updated.replace(/(\[Service\])/, '$1\nStartLimitBurst=5\nStartLimitIntervalSec=300');
             changed = true;
@@ -45,7 +44,7 @@ export function patchSystemdCommand(args) {
                 updated = updated.replace(/^ExecStart=.*$/m, expectedExecStart);
                 changed = true;
             }
-            // Ensure TimeoutStartSec=900
+            // ensure TimeoutStartSec=900
             if (!updated.includes('TimeoutStartSec=900')) {
                 if (/^TimeoutStartSec=\d+/m.test(updated)) {
                     updated = updated.replace(/^TimeoutStartSec=\d+.*$/m, 'TimeoutStartSec=900');
@@ -57,37 +56,49 @@ export function patchSystemdCommand(args) {
             }
         }
         if (!changed) {
-            info(`${name}: already patched, skipping`);
+            ctx.log({ level: 'info', message: `${name}: already patched, skipping` });
             skipped++;
             continue;
         }
-        // Backup original before overwrite
+        // backup original before overwrite
         try {
             copyFileSync(path, `${path}.bak`);
         }
         catch (err) {
-            warn(`${name}: failed to create .bak (${err instanceof Error ? err.message : String(err)}); skipping for safety`);
+            ctx.log({
+                level: 'warn',
+                message: `${name}: failed to create .bak (${err instanceof Error ? err.message : String(err)}); skipping for safety`,
+            });
             skipped++;
             continue;
         }
         writeFileSync(path, updated);
-        success(`${name}: patched`);
+        ctx.log({ level: 'info', message: `${name}: patched` });
         patched++;
     }
     if (patched === 0) {
-        info('No services needed patching');
-        return;
+        return {
+            ok: true,
+            summary: 'no services needed patching',
+            data: { action: 'patch', changed: 0, skipped },
+        };
     }
-    info('Running systemctl daemon-reload...');
+    ctx.log({ level: 'info', message: 'running systemctl daemon-reload...' });
     const result = execSafe('systemctl', ['daemon-reload']);
-    if (result.ok) {
-        success(`Done — patched ${patched} service(s), skipped ${skipped}`);
-    }
-    else {
-        warn(`daemon-reload failed: ${result.stderr}`);
+    if (!result.ok) {
+        return {
+            ok: false,
+            summary: `patched ${patched} service(s) but daemon-reload failed: ${result.stderr}`,
+            data: { action: 'patch', changed: patched, skipped },
+        };
     }
+    return {
+        ok: true,
+        summary: `patched ${patched} service(s), skipped ${skipped}`,
+        data: { action: 'patch', changed: patched, skipped },
+    };
 }
-function rollback() {
+function runRollback(ctx) {
     const reg = load();
     const serviceNames = [
         ...reg.apps.map(a => a.serviceName),
@@ -104,23 +115,52 @@ function rollback() {
         }
         try {
             renameSync(bak, path);
-            success(`${name}: restored from .bak`);
+            ctx.log({ level: 'info', message: `${name}: restored from .bak` });
             restored++;
         }
         catch (err) {
-            error(`${name}: failed to restore: ${err instanceof Error ? err.message : String(err)}`);
+            ctx.log({
+                level: 'error',
+                message: `${name}: failed to restore: ${err instanceof Error ? err.message : String(err)}`,
+            });
         }
     }
     if (restored === 0) {
-        info('No .bak files found to restore');
-        return;
+        return {
+            ok: true,
+            summary: 'no .bak files found to restore',
+            data: { action: 'rollback', changed: 0, skipped: missing },
+        };
     }
-    info('Running systemctl daemon-reload...');
+    ctx.log({ level: 'info', message: 'running systemctl daemon-reload...' });
     const result = execSafe('systemctl', ['daemon-reload']);
-    if (result.ok) {
-        success(`Done — restored ${restored}, missing ${missing}`);
-    }
-    else {
-        warn(`daemon-reload failed: ${result.stderr}`);
+    if (!result.ok) {
+        return {
+            ok: false,
+            summary: `restored ${restored} but daemon-reload failed: ${result.stderr}`,
+            data: { action: 'rollback', changed: restored, skipped: missing },
+        };
     }
+    return {
+        ok: true,
+        summary: `restored ${restored}, missing ${missing}`,
+        data: { action: 'rollback', changed: restored, skipped: missing },
+    };
 }
+export const patchSystemdCommand = defineCommand({
+    name: 'patch-systemd',
+    summary: 'Add StartLimit settings to all service files',
+    args: z.object({ rollback: z.boolean().default(false), yes: z.boolean().default(false) }),
+    destructive: true,
+    async run(args, ctx) {
+        const verb = args.rollback ? 'roll back' : 'patch';
+        if (!args.yes && !(await ctx.confirm(`${verb} all fleet systemd unit files?`))) {
+            return {
+                ok: false,
+                summary: 'cancelled',
+                data: { action: args.rollback ? 'rollback' : 'patch', changed: 0, skipped: 0 },
+            };
+        }
+        return args.rollback ? runRollback(ctx) : runPatch(ctx);
+    },
+});

package/dist/commands/remove.d.ts

@@ -1 +1,3 @@
-export declare function removeCommand(args: string[]): Promise<void>;
+export declare const removeCommand: import("../registry/types.js").CommandDef<{
+    app: string;
+}>;

package/dist/commands/remove.js

@@ -1,28 +1,39 @@
-import { load, save, findApp, removeApp } from '../core/registry.js';
+import { z } from 'zod';
+import { load, findApp, removeApp, withRegistry } from '../core/registry.js';
 import { stopService, disableService } from '../core/systemd.js';
 import { AppNotFoundError } from '../core/errors.js';
-import { success, error, info, warn } from '../ui/output.js';
-import { confirm } from '../ui/confirm.js';
-export async function removeCommand(args) {
-    const yes = args.includes('-y') || args.includes('--yes');
-    const appName = args.find(a => !a.startsWith('-'));
-    if (!appName) {
-        error('Usage: fleet remove <app>');
-        process.exit(1);
-    }
-    const reg = load();
-    const app = findApp(reg, appName);
-    if (!app)
-        throw new AppNotFoundError(appName);
-    if (!yes && !await confirm(`Remove ${app.name}? This will stop and disable the service.`)) {
-        info('Cancelled');
-        return;
-    }
-    info(`Stopping ${app.serviceName}...`);
-    stopService(app.serviceName);
-    info(`Disabling ${app.serviceName}...`);
-    disableService(app.serviceName);
-    save(removeApp(reg, app.name));
-    success(`Removed ${app.name} from registry`);
-    warn('Service file not deleted - remove manually if needed');
-}
+import { defineCommand } from '../registry/registry.js';
+export const removeCommand = defineCommand({
+    name: 'remove',
+    summary: 'Stop, disable and deregister an app',
+    args: z.object({ app: z.string(), yes: z.boolean().default(false) }),
+    destructive: true,
+    async run(args, ctx) {
+        const app = findApp(load(), args.app);
+        if (!app) {
+            return { ok: false, summary: `app not found: ${args.app}`, data: { app: args.app } };
+        }
+        if (!args.yes && !(await ctx.confirm(`Remove ${app.name}? This will stop and disable the service.`))) {
+            return { ok: false, summary: 'cancelled', data: { app: app.name } };
+        }
+        // systemctl runs outside the registry lock so we don't hold it while
+        // services stop/disable.
+        stopService(app.serviceName);
+        disableService(app.serviceName);
+        try {
+            await withRegistry(reg => {
+                const fresh = findApp(reg, app.name);
+                if (!fresh)
+                    throw new AppNotFoundError(app.name);
+                return removeApp(reg, fresh.name);
+            });
+        }
+        catch (err) {
+            // a concurrent process removed the app between the unlocked preview and
+            // the locked mutation — surface it as a graceful expected failure.
+            return { ok: false, summary: err instanceof Error ? err.message : String(err), data: { app: app.name } };
+        }
+        ctx.log({ level: 'warn', message: 'service file not deleted — remove manually if needed' });
+        return { ok: true, summary: `removed ${app.name} from registry`, data: { app: app.name } };
+    },
+});

package/dist/commands/restart.d.ts

@@ -1 +1,4 @@
-export declare function restartCommand(args: string[]): void;
+export declare const restartCommand: import("../registry/types.js").CommandDef<{
+    app: string;
+    service: string;
+}>;

package/dist/commands/restart.js

@@ -1,22 +1,19 @@
+import { z } from 'zod';
 import { load, findApp } from '../core/registry.js';
 import { restartService } from '../core/systemd.js';
-import { AppNotFoundError } from '../core/errors.js';
-import { success, error } from '../ui/output.js';
-export function restartCommand(args) {
-    const appName = args[0];
-    if (!appName) {
-        error('Usage: fleet restart <app>');
-        process.exit(1);
-    }
-    const reg = load();
-    const app = findApp(reg, appName);
-    if (!app)
-        throw new AppNotFoundError(appName);
-    if (restartService(app.serviceName)) {
-        success(`Restarted ${app.name}`);
-    }
-    else {
-        error(`Failed to restart ${app.name}`);
-        process.exit(1);
-    }
-}
+import { defineCommand } from '../registry/registry.js';
+export const restartCommand = defineCommand({
+    name: 'restart',
+    summary: 'Restart an app via systemctl',
+    args: z.object({ app: z.string() }),
+    async run(args) {
+        const app = findApp(load(), args.app);
+        if (!app) {
+            return { ok: false, summary: `app not found: ${args.app}`, data: { app: args.app, service: '' } };
+        }
+        if (!restartService(app.serviceName)) {
+            return { ok: false, summary: `failed to restart ${app.name}`, data: { app: app.name, service: app.serviceName } };
+        }
+        return { ok: true, summary: `restarted ${app.name}`, data: { app: app.name, service: app.serviceName } };
+    },
+});

package/dist/commands/rollback.d.ts

@@ -1 +1,4 @@
-export declare function rollbackCommand(args: string[]): Promise<void>;
+export declare const rollbackCommand: import("../registry/types.js").CommandDef<{
+    app: string;
+    image: string;
+}>;

package/dist/commands/rollback.js

@@ -1,12 +1,8 @@
+import { z } from 'zod';
 import { load, findApp } from '../core/registry.js';
 import { execSafe } from '../core/exec.js';
 import { restartService } from '../core/systemd.js';
-function log(msg) {
-    process.stdout.write(`[rollback] ${msg}\n`);
-}
-function logErr(msg) {
-    process.stderr.write(`[rollback] ${msg}\n`);
-}
+import { defineCommand } from '../registry/registry.js';
 function resolveImageName(composePath, composeFile) {
     const args = ['compose', ...(composeFile ? ['-f', composeFile] : []), 'config', '--images'];
     const r = execSafe('docker', args, { cwd: composePath, timeout: 15_000 });
@@ -20,39 +16,34 @@ function splitImageBase(image) {
         return image;
     return image.slice(0, lastColon);
 }
-export async function rollbackCommand(args) {
-    const appName = args[0];
-    if (!appName) {
-        logErr('Usage: fleet rollback <app>');
-        process.exit(1);
-    }
-    const reg = load();
-    const app = findApp(reg, appName);
-    if (!app) {
-        logErr(`app not found: ${appName}`);
-        process.exit(1);
-    }
-    const image = resolveImageName(app.composePath, app.composeFile);
-    if (!image) {
-        logErr(`could not resolve image name for ${app.name}`);
-        process.exit(1);
-    }
-    const base = splitImageBase(image);
-    const previous = `${base}:fleet-previous`;
-    const latest = image;
-    if (!execSafe('docker', ['image', 'inspect', previous], { timeout: 10_000 }).ok) {
-        logErr(`no previous image found (${previous}) — nothing to roll back to`);
-        process.exit(1);
-    }
-    const tag = execSafe('docker', ['tag', previous, latest], { timeout: 10_000 });
-    if (!tag.ok) {
-        logErr(`docker tag failed: ${tag.stderr || `exit ${tag.exitCode}`}`);
-        process.exit(1);
-    }
-    const ok = restartService(app.serviceName);
-    if (!ok) {
-        logErr(`tag restored but service restart failed for ${app.serviceName}`);
-        process.exit(1);
-    }
-    log(`rolled back ${app.name} to ${previous}`);
-}
+export const rollbackCommand = defineCommand({
+    name: 'rollback',
+    summary: 'Roll back app to previous image',
+    args: z.object({ app: z.string(), yes: z.boolean().default(false) }),
+    destructive: true,
+    async run(args, ctx) {
+        const app = findApp(load(), args.app);
+        if (!app) {
+            return { ok: false, summary: `app not found: ${args.app}`, data: { app: args.app, image: '' } };
+        }
+        const image = resolveImageName(app.composePath, app.composeFile);
+        if (!image) {
+            return { ok: false, summary: `could not resolve image name for ${app.name}`, data: { app: app.name, image: '' } };
+        }
+        const previous = `${splitImageBase(image)}:fleet-previous`;
+        if (!execSafe('docker', ['image', 'inspect', previous], { timeout: 10_000 }).ok) {
+            return { ok: false, summary: `no previous image found (${previous}) — nothing to roll back to`, data: { app: app.name, image: '' } };
+        }
+        if (!(args.yes || (await ctx.confirm(`Roll back ${app.name} to ${previous} and restart?`)))) {
+            return { ok: false, summary: 'cancelled', data: { app: app.name, image: previous } };
+        }
+        const tag = execSafe('docker', ['tag', previous, image], { timeout: 10_000 });
+        if (!tag.ok) {
+            return { ok: false, summary: `docker tag failed: ${tag.stderr || `exit ${tag.exitCode}`}`, data: { app: app.name, image: previous } };
+        }
+        if (!restartService(app.serviceName)) {
+            return { ok: false, summary: `tag restored but service restart failed for ${app.serviceName}`, data: { app: app.name, image: previous } };
+        }
+        return { ok: true, summary: `rolled back ${app.name} to ${previous}`, data: { app: app.name, image: previous } };
+    },
+});

package/dist/commands/secrets.js

@@ -19,6 +19,10 @@ import { checkHealth } from '../core/health.js';
 import { listSnapshots, restoreSnapshot, snapshotApp } from '../core/secrets-snapshots.js';
 import { auditLog } from '../core/secrets-audit.js';
 import { summariseSecrets, formatSecretsMotd, generateSecretsMotdScript } from '../core/secrets-motd.js';
+import { migrateAppToV2, revertAppFromV2 } from '../core/secrets-v2-migrate.js';
+import { cleanupV2Backups } from '../core/secrets-v2-cleanup.js';
+import { getV2Status } from '../core/secrets-v2-ops.js';
+import { installV2 } from '../core/secrets-v2-install.js';
 function getDbSecretsDir() {
     const reg = load();
     return join(reg.infrastructure.databases.composePath, 'secrets');
@@ -46,8 +50,13 @@ export async function secretsCommand(args) {
         case 'snapshots': return secretsSnapshots(rest);
         case 'motd-init': return secretsMotdInit();
         case 'seal-runtime': return secretsSeal(rest);
+        case 'migrate-v2': return secretsMigrateV2(rest);
+        case 'revert-v2': return secretsRevertV2(rest);
+        case 'cleanup-v2': return secretsCleanupV2(rest);
+        case 'status-v2': return secretsStatusV2(rest);
+        case 'install-v2': return secretsInstallV2(rest);
         default:
-            error('Usage: fleet secrets <init|list|set|get|import|export|seal|unseal|rotate|rotate-key|ages|rollback|snapshots|validate|status|drift|restore>');
+            error('Usage: fleet secrets <init|list|set|get|import|export|seal|unseal|rotate|rotate-key|ages|rollback|snapshots|validate|status|drift|restore|migrate-v2|revert-v2|cleanup-v2|status-v2|install-v2>');
             process.exit(1);
     }
 }
@@ -129,7 +138,7 @@ async function secretsSet(args) {
         error('Empty value — aborting');
         process.exit(1);
     }
-    setSecret(app, key, value, { allowWeak });
+    await setSecret(app, key, value, { allowWeak });
     success(`Set ${key} for ${app}`);
 }
 function secretsGet(args) {
@@ -145,7 +154,7 @@ function secretsGet(args) {
     }
     process.stdout.write(val + '\n');
 }
-function secretsImport(args) {
+async function secretsImport(args) {
     const app = args.find(a => !a.startsWith('-'));
     const pathArg = args[1] && !args[1].startsWith('-') ? args[1] : null;
     if (!app) {
@@ -154,7 +163,7 @@ function secretsImport(args) {
     }
     if (app === 'docker-databases') {
         const dir = pathArg || getDbSecretsDir();
-        const count = importDbSecrets(app, dir);
+        const count = await importDbSecrets(app, dir);
         success(`Imported ${count} secret files from ${dir}`);
         return;
     }
@@ -170,7 +179,7 @@ function secretsImport(args) {
     else {
         throw new SecretsError(`App not in registry and no path given: ${app}`);
     }
-    const count = importEnvFile(app, envPath);
+    const count = await importEnvFile(app, envPath);
     success(`Imported ${count} keys from ${envPath}`);
 }
 function secretsExport(args) {
@@ -187,9 +196,9 @@ function secretsUnseal() {
     const count = Object.keys(manifest.apps).length;
     success(`Unsealed ${count} apps to /run/fleet-secrets/`);
 }
-function secretsSeal(args) {
+async function secretsSeal(args) {
     const app = args.find(a => !a.startsWith('-')) || undefined;
-    const sealed = sealFromRuntime(app);
+    const sealed = await sealFromRuntime(app);
     for (const a of sealed) {
         success(`Sealed ${a}`);
     }
@@ -200,7 +209,7 @@ async function secretsRotateKey(args) {
         info('Cancelled');
         return;
     }
-    const result = rotateKey();
+    const result = await rotateKey();
     success(`Key rotated`);
     info(`Old: ${result.oldPubkey}`);
     info(`New: ${result.newPubkey}`);
@@ -294,7 +303,7 @@ async function rotateOneInteractive(app, secret, opts) {
         info('Cancelled');
         return { acted: false, succeeded: false };
     }
-    const result = performRotation(app, secret.name, newValue, {
+    const result = await performRotation(app, secret.name, newValue, {
         dryRun: opts.dryRun,
         dataMigrated: opts.dataMigrated,
     });
@@ -699,3 +708,142 @@ function secretsRestore(args) {
     success(`Restored vault backup for ${app}`);
     info('Run "fleet secrets unseal" to apply to runtime');
 }
+async function secretsMigrateV2(args) {
+    const app = args[0];
+    if (!app || app.startsWith('-')) {
+        error('Usage: fleet secrets migrate-v2 <app> [--no-restart-app] [--dry-run]');
+        process.exit(1);
+    }
+    const noRestartApp = args.includes('--no-restart-app');
+    const dryRun = args.includes('--dry-run');
+    heading(`Migrating ${app} to v2 (mode=socket)`);
+    if (dryRun)
+        info('DRY RUN — no actual changes will be applied');
+    try {
+        const result = await migrateAppToV2({ app, noRestartApp, dryRun });
+        if (result.rolledBack) {
+            error(`Migration failed; rolled back from snapshot ${result.snapshotDir}`);
+            for (const step of result.steps) {
+                if (!step.ok)
+                    info(`  step ${step.step} (${step.name}): ${step.detail}`);
+            }
+            process.exit(1);
+        }
+        success(`Migrated ${app} to v2`);
+        if (result.snapshotDir)
+            info(`Snapshot: ${result.snapshotDir}`);
+        for (const step of result.steps) {
+            info(`  step ${step.step} (${step.name}): ${step.ok ? 'OK' : 'FAILED'}`);
+        }
+    }
+    catch (err) {
+        error(`Migration failed: ${err.message}`);
+        process.exit(1);
+    }
+}
+async function secretsRevertV2(args) {
+    const app = args[0];
+    if (!app || app.startsWith('-')) {
+        error('Usage: fleet secrets revert-v2 <app> [--snapshot <timestamp>]');
+        process.exit(1);
+    }
+    const snapIdx = args.indexOf('--snapshot');
+    const snapshotTimestamp = snapIdx >= 0 ? args[snapIdx + 1] : undefined;
+    heading(`Reverting ${app} from v2`);
+    try {
+        const result = await revertAppFromV2({ app, snapshotTimestamp });
+        if (result.ok) {
+            success(`Reverted ${app} to v1; restored from ${result.snapshotUsed}`);
+        }
+        else {
+            error(`Revert reported issues — see steps below`);
+        }
+        for (const step of result.steps) {
+            const status = step.ok ? 'OK' : 'FAILED';
+            info(`  step ${step.step} (${step.name}): ${status}${step.detail ? ' — ' + step.detail : ''}`);
+        }
+    }
+    catch (err) {
+        error(`Revert failed: ${err.message}`);
+        process.exit(1);
+    }
+}
+async function secretsCleanupV2(args) {
+    const app = args[0];
+    if (!app || app.startsWith('-')) {
+        error('Usage: fleet secrets cleanup-v2 <app> [--retention-days N] [--dry-run]');
+        process.exit(1);
+    }
+    const retIdx = args.indexOf('--retention-days');
+    const retentionDays = retIdx >= 0 ? parseInt(args[retIdx + 1], 10) : 30;
+    const dryRun = args.includes('--dry-run');
+    if (Number.isNaN(retentionDays) || retentionDays < 0) {
+        error(`--retention-days must be a non-negative integer`);
+        process.exit(1);
+    }
+    heading(`Cleaning up v2 backups for ${app} (retention=${retentionDays}d)`);
+    if (dryRun)
+        info('DRY RUN — no actual deletions');
+    try {
+        const result = await cleanupV2Backups({ app, retentionDays, dryRun });
+        if (result.removedBak)
+            info(`v1 backup blob ${dryRun ? 'would be removed' : 'removed'}`);
+        info(`Snapshots removed: ${result.removedSnapshots.length}`);
+        info(`Snapshots kept:    ${result.keptSnapshots.length}`);
+        for (const ts of result.removedSnapshots)
+            info(`  - ${ts}`);
+        success('Cleanup complete');
+    }
+    catch (err) {
+        error(`Cleanup failed: ${err.message}`);
+        process.exit(1);
+    }
+}
+async function secretsInstallV2(args) {
+    const dryRun = args.includes('--dry-run');
+    heading(`Installing fleet-secrets-agent v2 host components`);
+    if (dryRun)
+        info('DRY RUN');
+    try {
+        const result = await installV2({ dryRun });
+        if (result.agentBinaryInstalled)
+            success('Agent binary installed at /usr/local/bin/fleet-agent');
+        else
+            info('Agent binary already current');
+        if (result.unitFileInstalled)
+            success('Templated unit installed at /etc/systemd/system/fleet-secrets-agent@.service');
+        else
+            info('Unit file already current');
+        if (result.daemonReloaded)
+            success('systemctl daemon-reload completed');
+        if (!result.templateParseable && !dryRun)
+            warn('Templated unit did not parse cleanly — investigate');
+        else if (!dryRun)
+            success('Templated unit verified');
+    }
+    catch (err) {
+        error(`Install failed: ${err.message}`);
+        process.exit(1);
+    }
+}
+function secretsStatusV2(_args) {
+    const report = getV2Status();
+    heading('Fleet secrets v2 status');
+    info(`v1 (unseal): ${report.v1Count} apps`);
+    info(`v2 (socket): ${report.v2Count} apps`);
+    info('');
+    if (report.apps.length === 0) {
+        info('No apps in manifest');
+        return;
+    }
+    const headers = ['App', 'Mode', 'Agent', 'Socket', 'Keys', 'Last sealed'];
+    const rows = report.apps.map(a => [
+        a.name,
+        a.mode,
+        a.mode === 'socket' ? (a.agentActive ? 'active' : 'inactive') : '—',
+        a.mode === 'socket' ? (a.socketOk ? 'ok' : 'BAD') : '—',
+        String(a.keyCount),
+        a.lastSealedAt.slice(0, 10),
+    ]);
+    table(headers, rows);
+}

package/dist/commands/start.d.ts

@@ -1 +1,4 @@
-export declare function startCommand(args: string[]): void;
+export declare const startCommand: import("../registry/types.js").CommandDef<{
+    app: string;
+    service: string;
+}>;