@matthesketh/fleet 1.8.1 → 1.11.1

package/dist/core/audit/reporters/cli.js

@@ -0,0 +1,68 @@
+import { c, icon } from '../../../ui/output.js';
+const SEVERITY_ORDER = ['CRITICAL', 'WARN', 'INFO'];
+export function severityIcon(severity) {
+    switch (severity) {
+        case 'CRITICAL': return icon.err;
+        case 'WARN': return icon.warn;
+        default: return icon.info;
+    }
+}
+function severityHeading(severity) {
+    switch (severity) {
+        case 'CRITICAL': return `${c.red}${c.bold}Critical — will be rejected`;
+        case 'WARN': return `${c.yellow}${c.bold}Warning — high rejection risk`;
+        default: return `${c.dim}${c.bold}Info — best practice`;
+    }
+}
+// render a parsed greenlight report into printable terminal lines, grouped by
+// severity with a verdict footer. ansi colours come from ui/output.
+export function formatReport(report) {
+    const lines = [];
+    if (report.app_name)
+        lines.push(`  ${c.dim}App${c.reset}     ${report.app_name}`);
+    if (report.bundle_id)
+        lines.push(`  ${c.dim}Bundle${c.reset}  ${report.bundle_id}`);
+    lines.push(`  ${c.dim}Privacy manifest${c.reset}  ` +
+        (report.has_privacy_info ? `${icon.ok} present` : `${icon.warn} missing`));
+    if (report.tracking_sdks && report.tracking_sdks.length > 0) {
+        lines.push(`  ${c.dim}Tracking SDKs${c.reset}  ${report.tracking_sdks.join(', ')}`);
+    }
+    if (report.detected_apis && report.detected_apis.length > 0) {
+        lines.push(`  ${c.dim}Required-reason APIs${c.reset}  ${report.detected_apis.join(', ')}`);
+    }
+    for (const severity of SEVERITY_ORDER) {
+        const group = report.findings.filter(f => f.severity === severity);
+        if (group.length === 0)
+            continue;
+        lines.push('');
+        lines.push(`${severityHeading(severity)} (${group.length})${c.reset}`);
+        for (const finding of group)
+            lines.push(...formatFinding(finding));
+    }
+    const s = report.summary;
+    lines.push('');
+    lines.push(`  ${c.dim}${'-'.repeat(48)}${c.reset}`);
+    if (s.passed) {
+        lines.push(`  ${c.green}${c.bold}GREENLIT${c.reset} — no critical issues found`);
+    }
+    else {
+        lines.push(`  ${c.red}${c.bold}NOT READY${c.reset} — ${s.critical} critical issue(s) must be fixed`);
+    }
+    lines.push(`  ${c.dim}${s.total} findings: ${s.critical} critical, ${s.warns} warn, ` +
+        `${s.infos} info — scanned in ${report.elapsed}${c.reset}`);
+    return lines;
+}
+function formatFinding(finding) {
+    const out = [];
+    const ref = finding.guideline ? `${c.cyan}§${finding.guideline}${c.reset} ` : '';
+    out.push(`  ${severityIcon(finding.severity)} ${c.dim}[${finding.source}]${c.reset} ` +
+        `${ref}${c.bold}${finding.title}${c.reset}`);
+    if (finding.file) {
+        const loc = finding.line ? `${finding.file}:${finding.line}` : finding.file;
+        out.push(`      ${c.dim}${loc}${c.reset}`);
+    }
+    out.push(`      ${c.dim}${finding.detail}${c.reset}`);
+    if (finding.fix)
+        out.push(`      ${c.green}fix:${c.reset} ${finding.fix}`);
+    return out;
+}

package/dist/core/audit/suppress.d.ts

@@ -0,0 +1,6 @@
+import type { AuditIgnoreRule, GreenlightReport } from './types.js';
+export interface SuppressionResult {
+    report: GreenlightReport;
+    suppressed: number;
+}
+export declare function applySuppressions(report: GreenlightReport, target: string, rules: AuditIgnoreRule[]): SuppressionResult;

package/dist/core/audit/suppress.js

@@ -0,0 +1,37 @@
+// true when `rule` dismisses `finding` for the audit target `target`.
+function ruleCovers(rule, finding, target) {
+    if (rule.target && rule.target !== target)
+        return false;
+    if (rule.title !== finding.title)
+        return false;
+    if (rule.contains) {
+        const haystack = `${finding.file ?? ''}\n${finding.code ?? ''}`;
+        if (!haystack.includes(rule.contains))
+            return false;
+    }
+    return true;
+}
+function recomputeSummary(findings) {
+    return {
+        total: findings.length,
+        critical: findings.filter(f => f.severity === 'CRITICAL').length,
+        warns: findings.filter(f => f.severity === 'WARN').length,
+        infos: findings.filter(f => f.severity === 'INFO').length,
+        passed: findings.every(f => f.severity !== 'CRITICAL'),
+    };
+}
+// drops findings covered by an active ignore rule and recomputes the summary
+// so the verdict reflects what is left. this is how confirmed scanner false
+// positives are dismissed — each rule carries a written reason.
+export function applySuppressions(report, target, rules) {
+    if (rules.length === 0)
+        return { report, suppressed: 0 };
+    const kept = report.findings.filter(finding => !rules.some(rule => ruleCovers(rule, finding, target)));
+    const suppressed = report.findings.length - kept.length;
+    if (suppressed === 0)
+        return { report, suppressed: 0 };
+    return {
+        report: { ...report, findings: kept, summary: recomputeSummary(kept) },
+        suppressed,
+    };
+}

package/dist/core/audit/target.d.ts

@@ -0,0 +1,5 @@
+export interface AuditTarget {
+    target: string;
+    projectPath: string;
+}
+export declare function resolveAuditTarget(target: string): AuditTarget;

package/dist/core/audit/target.js

@@ -0,0 +1,26 @@
+import { existsSync, statSync } from 'node:fs';
+import { join, resolve } from 'node:path';
+import { load, findApp } from '../registry.js';
+import { FleetError } from '../errors.js';
+// resolve an audit target to the mobile project directory to scan.
+//
+// a target is either an existing directory path (used as-is) or a registered
+// fleet app name. for a registered app the convention is a `mobile/` subdir of
+// its compose root — that is where an expo / ios project lives in a repo whose
+// root holds docker-compose — falling back to the compose root when there is
+// no such subdir.
+export function resolveAuditTarget(target) {
+    const asPath = resolve(target);
+    if (existsSync(asPath) && statSync(asPath).isDirectory()) {
+        return { target, projectPath: asPath };
+    }
+    const app = findApp(load(), target);
+    if (!app) {
+        throw new FleetError(`Audit target "${target}" is neither an existing directory nor a registered app.`);
+    }
+    const mobileDir = join(app.composePath, 'mobile');
+    return {
+        target: app.name,
+        projectPath: existsSync(mobileDir) ? mobileDir : app.composePath,
+    };
+}

package/dist/core/audit/types.d.ts

@@ -0,0 +1,54 @@
+export type GreenlightSeverity = 'CRITICAL' | 'WARN' | 'INFO';
+export type GreenlightSource = 'metadata' | 'codescan' | 'privacy' | 'ipa';
+export interface GreenlightFinding {
+    source: GreenlightSource | string;
+    severity: GreenlightSeverity | string;
+    guideline?: string;
+    title: string;
+    detail: string;
+    fix?: string;
+    file?: string;
+    line?: number;
+    code?: string;
+}
+export interface GreenlightSummary {
+    total: number;
+    critical: number;
+    warns: number;
+    infos: number;
+    passed: boolean;
+}
+export interface GreenlightReport {
+    project_path: string;
+    ipa_path?: string;
+    app_name?: string;
+    bundle_id?: string;
+    has_privacy_info: boolean;
+    detected_apis?: string[];
+    tracking_sdks?: string[];
+    findings: GreenlightFinding[];
+    summary: GreenlightSummary;
+    elapsed: string;
+}
+export interface AuditRecord {
+    target: string;
+    projectPath: string;
+    ipaPath?: string;
+    ranAt: string;
+    report: GreenlightReport;
+}
+export interface AuditCache {
+    version: 1;
+    audits: Record<string, AuditRecord>;
+}
+export interface AuditIgnoreRule {
+    target?: string;
+    title: string;
+    contains?: string;
+    reason: string;
+    addedAt: string;
+}
+export interface AuditConfig {
+    version: 1;
+    ignore: AuditIgnoreRule[];
+}

package/dist/core/audit/types.js

@@ -0,0 +1,5 @@
+// shapes for the App Store compliance audit feature. the report types mirror
+// the json emitted by `greenlight preflight --format json` (RevylAI/greenlight,
+// internal/cli/preflight.go writePreflightJSON) — kept structurally identical
+// so the binary's output deserialises straight into these.
+export {};

package/dist/core/backup/browser-api.d.ts

@@ -0,0 +1,66 @@
+import { StatusReport } from './statuspage.js';
+import { SnapshotInfo } from './types.js';
+import { TreeEntry } from './repo.js';
+export interface RestoreResult {
+    target: string;
+    fileCount: number;
+    bytes: number;
+    durationMs: number;
+}
+export interface StagingDir {
+    path: string;
+    bytes: number;
+    age: string;
+}
+/** everything the router needs, injected so handlers stay pure + testable. */
+export interface ApiContext {
+    now(): number;
+    totpSecret: string;
+    sessionSecret: string;
+    sessionTtlMs: number;
+    /** the deployment domain — the same-origin check accepts only this host. */
+    domain: string;
+    listApps(): string[];
+    statusReport(): StatusReport;
+    snapshots(app: string): SnapshotInfo[];
+    lsTree(app: string, snap: string, path: string): TreeEntry[];
+    fileMeta(app: string, snap: string, path: string): {
+        size: number;
+        sensitive: boolean;
+    } | null;
+    restore(app: string, snap: string, path: string): RestoreResult;
+    listStaging(): StagingDir[];
+    deleteStaging(path: string): void;
+}
+export interface ApiRequest {
+    method: string;
+    path: string;
+    query: Record<string, string>;
+    headers: Record<string, string>;
+    body?: unknown;
+    cookies: Record<string, string>;
+}
+export type ApiResponse = {
+    kind: 'json';
+    status: number;
+    body: unknown;
+    setCookie?: string;
+} | {
+    kind: 'html';
+    status: number;
+    body: string;
+} | {
+    kind: 'stream';
+    status: number;
+    app: string;
+    snap: string;
+    path: string;
+    filename: string;
+    contentType: string;
+    disposition: 'inline' | 'attachment';
+} | {
+    kind: 'redirect';
+    status: number;
+    location: string;
+};
+export declare function handle(req: ApiRequest, ctx: ApiContext): ApiResponse;

package/dist/core/backup/browser-api.js

@@ -0,0 +1,197 @@
+import { verifyTotp, signSession, verifySession } from './totp.js';
+import { renderLoginPage, renderExplorerPage } from './browser-ui.js';
+import { renderStatusHtml } from './statuspage.js';
+import { classify } from './sensitive.js';
+const SESSION_COOKIE = 'fleet_backup_session';
+function json(status, body, setCookie) {
+    return { kind: 'json', status, body, setCookie };
+}
+function hasSession(req, ctx) {
+    const cookie = req.cookies[SESSION_COOKIE];
+    if (!cookie)
+        return false;
+    return verifySession(cookie, ctx.sessionSecret, ctx.now()) !== null;
+}
+/** /api/* must carry the csrf header, and write methods must carry an
+ *  Origin header whose host matches our domain exactly.
+ *
+ *  the custom `x-fleet-backup: 1` header is the primary barrier — modern
+ *  browsers can't set it cross-origin without preflight, which a same-
+ *  origin policy denies for any host that isn't our own. the Origin check
+ *  is belt-and-braces, and matters specifically for POST / DELETE so the
+ *  endsWith bug (where `evil-${domain}` would have been accepted) is
+ *  closed and a missing Origin on a mutating request is rejected. read
+ *  methods accept a missing Origin so health checks / curl probes keep
+ *  working without the operator having to set an Origin manually. */
+const READ_METHODS = new Set(['GET', 'HEAD', 'OPTIONS']);
+function csrfOk(req, domain) {
+    if (req.headers['x-fleet-backup'] !== '1')
+        return false;
+    const origin = req.headers['origin'];
+    const isWrite = !READ_METHODS.has(req.method.toUpperCase());
+    if (!origin)
+        return !isWrite;
+    let host;
+    try {
+        host = new URL(origin).host;
+    }
+    catch {
+        return false;
+    }
+    return host === domain;
+}
+export function handle(req, ctx) {
+    // public: the login page
+    if (req.path === '/login' && req.method === 'GET') {
+        return { kind: 'html', status: 200, body: renderLoginPage() };
+    }
+    // /api/* — the CSRF + same-origin check runs before auth so a cross-site
+    // probe is rejected (403) without ever reaching the session layer.
+    if (req.path.startsWith('/api/')) {
+        if (!csrfOk(req, ctx.domain))
+            return json(403, { error: 'csrf check failed' });
+        if (req.path === '/api/login' && req.method === 'POST') {
+            const code = req.body?.code ?? '';
+            if (!verifyTotp(ctx.totpSecret, code, ctx.now())) {
+                return json(401, { error: 'invalid code' });
+            }
+            const cookie = signSession({ exp: ctx.now() + ctx.sessionTtlMs }, ctx.sessionSecret);
+            const attrs = `Path=/backups; HttpOnly; Secure; SameSite=Strict; Max-Age=${Math.floor(ctx.sessionTtlMs / 1000)}`;
+            return json(200, { ok: true }, `${SESSION_COOKIE}=${cookie}; ${attrs}`);
+        }
+        if (!hasSession(req, ctx))
+            return json(401, { error: 'not authenticated' });
+        return handleApi(req, ctx);
+    }
+    // every non-api route requires a session
+    if (!hasSession(req, ctx)) {
+        return { kind: 'redirect', status: 302, location: '/backups/login' };
+    }
+    if (req.path === '/' && req.method === 'GET') {
+        return { kind: 'html', status: 200, body: renderStatusHtml(ctx.statusReport()) };
+    }
+    if (req.path === '/explore' && req.method === 'GET') {
+        return { kind: 'html', status: 200, body: renderExplorerPage() };
+    }
+    return json(404, { error: 'not found' });
+}
+const SNAP_RE = /^[0-9a-f]{8,64}$/;
+const INLINE_TYPES = ['text/', 'image/', 'application/pdf', 'application/json'];
+function validPath(p) {
+    if (!p || !p.startsWith('/'))
+        return false;
+    // reject any traversal segment in the raw path — checking a normalised
+    // path is useless here because normalisation collapses `..` away first.
+    return !p.split('/').includes('..');
+}
+/** maps a restic error to 503 when the backend is unreachable, else 500. */
+function resticErrorStatus(message) {
+    return /unreach|connection refused|dial |timeout|no route to host/i.test(message)
+        ? 503
+        : 500;
+}
+function contentTypeFor(path) {
+    const ext = path.slice(path.lastIndexOf('.') + 1).toLowerCase();
+    const map = {
+        txt: 'text/plain', md: 'text/plain', log: 'text/plain', json: 'application/json',
+        js: 'text/plain', ts: 'text/plain', css: 'text/plain', html: 'text/plain',
+        png: 'image/png', jpg: 'image/jpeg', jpeg: 'image/jpeg', gif: 'image/gif',
+        svg: 'image/svg+xml', pdf: 'application/pdf',
+    };
+    return map[ext] ?? 'application/octet-stream';
+}
+function handleApi(req, ctx) {
+    const { path: route, query } = req;
+    if (route === '/api/apps' && req.method === 'GET') {
+        return json(200, ctx.statusReport());
+    }
+    if (route === '/api/snapshots' && req.method === 'GET') {
+        const app = query.app ?? '';
+        if (!ctx.listApps().includes(app))
+            return json(404, { error: 'unknown app' });
+        return json(200, { snapshots: ctx.snapshots(app) });
+    }
+    if (route === '/api/ls' && req.method === 'GET') {
+        const { app = '', snap = '', path = '/' } = query;
+        if (!ctx.listApps().includes(app))
+            return json(404, { error: 'unknown app' });
+        if (!SNAP_RE.test(snap))
+            return json(400, { error: 'bad snapshot id' });
+        if (!validPath(path))
+            return json(400, { error: 'bad path' });
+        try {
+            // sensitivity is derived from the path itself — no per-entry restic call.
+            const entries = ctx.lsTree(app, snap, path).map(e => ({
+                ...e,
+                sensitive: classify(e.path) === 'sensitive',
+            }));
+            return json(200, { path, entries });
+        }
+        catch (e) {
+            const msg = e.message;
+            return json(resticErrorStatus(msg), { error: msg });
+        }
+    }
+    if (route === '/api/staging' && req.method === 'GET') {
+        return json(200, { staging: ctx.listStaging() });
+    }
+    if (route === '/api/restore' && req.method === 'POST') {
+        const b = (req.body ?? {});
+        const app = b.app ?? '';
+        const snap = b.snap ?? '';
+        const path = b.path ?? '';
+        if (!ctx.listApps().includes(app))
+            return json(404, { error: 'unknown app' });
+        if (!SNAP_RE.test(snap))
+            return json(400, { error: 'bad snapshot id' });
+        if (!validPath(path))
+            return json(400, { error: 'bad path' });
+        try {
+            return json(200, ctx.restore(app, snap, path));
+        }
+        catch (e) {
+            const msg = e.message;
+            // doRestore throws a code-507 error when staging space is short
+            const status = e.code === 507 ? 507 : 500;
+            return json(status, { error: msg });
+        }
+    }
+    if (route === '/api/staging' && req.method === 'DELETE') {
+        const p = query.path ?? '';
+        if (!p.startsWith('/var/restore/') || p.includes('..')) {
+            return json(400, { error: 'bad staging path' });
+        }
+        try {
+            ctx.deleteStaging(p);
+            return json(200, { ok: true });
+        }
+        catch (e) {
+            return json(500, { error: e.message });
+        }
+    }
+    if (route === '/api/file' && req.method === 'GET') {
+        const { app = '', snap = '', path = '', dl } = query;
+        if (!ctx.listApps().includes(app))
+            return json(404, { error: 'unknown app' });
+        if (!SNAP_RE.test(snap))
+            return json(400, { error: 'bad snapshot id' });
+        if (!validPath(path))
+            return json(400, { error: 'bad path' });
+        const meta = ctx.fileMeta(app, snap, path);
+        if (!meta)
+            return json(404, { error: 'file not found' });
+        if (meta.sensitive)
+            return json(403, { error: 'sensitive path — view/download blocked' });
+        const filename = path.slice(path.lastIndexOf('/') + 1);
+        const ct = contentTypeFor(path);
+        const inlineable = INLINE_TYPES.some(t => ct.startsWith(t)) && meta.size <= 5 * 1024 * 1024;
+        return {
+            kind: 'stream',
+            status: 200,
+            app, snap, path, filename,
+            contentType: ct,
+            disposition: dl === '1' || !inlineable ? 'attachment' : 'inline',
+        };
+    }
+    return json(404, { error: 'not found' });
+}

package/dist/core/backup/browser-server.d.ts

@@ -0,0 +1,11 @@
+import { Server } from 'node:http';
+export interface ServeOptions {
+    port: number;
+    totpSecret: string;
+    sessionSecret: string;
+    sessionTtlMs?: number;
+    stagingRoot?: string;
+}
+/** starts the explorer http service, resolving once it is bound. the socket
+ *  is localhost-only (nginx fronts it). */
+export declare function startServer(opts: ServeOptions): Promise<Server>;