tlc-claude-code 2.0.1 → 2.1.0

package/server/lib/vps-api.test.js

@@ -0,0 +1,208 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+import express from 'express';
+import request from 'supertest';
+import fs from 'fs';
+import path from 'path';
+import os from 'os';
+
+const { createVpsRouter } = await import('./vps-api.js');
+
+function createMockSshClient() {
+  return {
+    exec: vi.fn().mockResolvedValue({ stdout: '', stderr: '', exitCode: 0 }),
+    execStream: vi.fn().mockResolvedValue(),
+    testConnection: vi.fn().mockResolvedValue({
+      connected: true,
+      os: 'Linux',
+      docker: 'Docker version 24.0.0',
+      disk: '42%',
+    }),
+    upload: vi.fn().mockResolvedValue(),
+  };
+}
+
+describe('VPS API Router', () => {
+  let app;
+  let mockSsh;
+  let tempDir;
+  let vpsJsonPath;
+
+  beforeEach(() => {
+    tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'vps-api-test-'));
+    vpsJsonPath = path.join(tempDir, 'vps.json');
+    mockSsh = createMockSshClient();
+
+    const router = createVpsRouter({
+      sshClient: mockSsh,
+      configDir: tempDir,
+    });
+
+    app = express();
+    app.use(express.json());
+    app.use('/vps', router);
+  });
+
+  afterEach(() => {
+    fs.rmSync(tempDir, { recursive: true, force: true });
+  });
+
+  describe('GET /vps/servers', () => {
+    it('returns empty list when no servers registered', async () => {
+      const res = await request(app).get('/vps/servers');
+      expect(res.status).toBe(200);
+      expect(res.body).toEqual([]);
+    });
+
+    it('returns registered servers', async () => {
+      fs.writeFileSync(vpsJsonPath, JSON.stringify({
+        servers: [{ id: '1', name: 'dev-1', host: '1.2.3.4', port: 22, username: 'deploy' }],
+      }));
+      const res = await request(app).get('/vps/servers');
+      expect(res.status).toBe(200);
+      expect(res.body).toHaveLength(1);
+      expect(res.body[0].name).toBe('dev-1');
+    });
+  });
+
+  describe('POST /vps/servers', () => {
+    it('creates a new server with UUID', async () => {
+      const res = await request(app).post('/vps/servers').send({
+        name: 'dev-1',
+        host: '1.2.3.4',
+        port: 22,
+        username: 'deploy',
+        privateKeyPath: '~/.ssh/id_rsa',
+        domain: 'myapp.dev',
+      });
+      expect(res.status).toBe(201);
+      expect(res.body.id).toBeTruthy();
+      expect(res.body.name).toBe('dev-1');
+      expect(res.body.host).toBe('1.2.3.4');
+
+      // Verify persisted
+      const data = JSON.parse(fs.readFileSync(vpsJsonPath, 'utf8'));
+      expect(data.servers).toHaveLength(1);
+    });
+
+    it('validates required fields', async () => {
+      const res = await request(app).post('/vps/servers').send({ name: 'dev-1' });
+      expect(res.status).toBe(400);
+      expect(res.body.error).toBeTruthy();
+    });
+  });
+
+  describe('GET /vps/servers/:id', () => {
+    it('returns server detail', async () => {
+      fs.writeFileSync(vpsJsonPath, JSON.stringify({
+        servers: [{ id: 'abc', name: 'dev-1', host: '1.2.3.4', port: 22, username: 'deploy' }],
+      }));
+      const res = await request(app).get('/vps/servers/abc');
+      expect(res.status).toBe(200);
+      expect(res.body.id).toBe('abc');
+    });
+
+    it('returns 404 for unknown server', async () => {
+      const res = await request(app).get('/vps/servers/nonexistent');
+      expect(res.status).toBe(404);
+    });
+  });
+
+  describe('PUT /vps/servers/:id', () => {
+    it('updates server config', async () => {
+      fs.writeFileSync(vpsJsonPath, JSON.stringify({
+        servers: [{ id: 'abc', name: 'dev-1', host: '1.2.3.4', port: 22, username: 'deploy' }],
+      }));
+      const res = await request(app).put('/vps/servers/abc').send({ name: 'dev-updated' });
+      expect(res.status).toBe(200);
+      expect(res.body.name).toBe('dev-updated');
+
+      // Verify persisted
+      const data = JSON.parse(fs.readFileSync(vpsJsonPath, 'utf8'));
+      expect(data.servers[0].name).toBe('dev-updated');
+    });
+  });
+
+  describe('DELETE /vps/servers/:id', () => {
+    it('removes server', async () => {
+      fs.writeFileSync(vpsJsonPath, JSON.stringify({
+        servers: [{ id: 'abc', name: 'dev-1', host: '1.2.3.4', port: 22, username: 'deploy' }],
+      }));
+      const res = await request(app).delete('/vps/servers/abc');
+      expect(res.status).toBe(200);
+
+      const data = JSON.parse(fs.readFileSync(vpsJsonPath, 'utf8'));
+      expect(data.servers).toHaveLength(0);
+    });
+  });
+
+  describe('POST /vps/servers/:id/test', () => {
+    it('tests SSH connection and returns server info', async () => {
+      fs.writeFileSync(vpsJsonPath, JSON.stringify({
+        servers: [{
+          id: 'abc', name: 'dev-1', host: '1.2.3.4', port: 22,
+          username: 'deploy', privateKeyPath: '~/.ssh/id_rsa',
+        }],
+      }));
+      const res = await request(app).post('/vps/servers/abc/test');
+      expect(res.status).toBe(200);
+      expect(res.body.connected).toBe(true);
+      expect(mockSsh.testConnection).toHaveBeenCalled();
+    });
+  });
+
+  describe('POST /vps/servers/:id/assign', () => {
+    it('assigns project to server', async () => {
+      fs.writeFileSync(vpsJsonPath, JSON.stringify({
+        servers: [{
+          id: 'abc', name: 'dev-1', host: '1.2.3.4', port: 22,
+          username: 'deploy', assignedProjects: [],
+        }],
+      }));
+      const res = await request(app).post('/vps/servers/abc/assign').send({ projectId: 'proj1' });
+      expect(res.status).toBe(200);
+      expect(res.body.assignedProjects).toContain('proj1');
+    });
+
+    it('does not duplicate project assignment', async () => {
+      fs.writeFileSync(vpsJsonPath, JSON.stringify({
+        servers: [{
+          id: 'abc', name: 'dev-1', host: '1.2.3.4', port: 22,
+          username: 'deploy', assignedProjects: ['proj1'],
+        }],
+      }));
+      const res = await request(app).post('/vps/servers/abc/assign').send({ projectId: 'proj1' });
+      expect(res.status).toBe(200);
+      expect(res.body.assignedProjects.filter(p => p === 'proj1')).toHaveLength(1);
+    });
+  });
+
+  describe('POST /vps/servers/:id/unassign', () => {
+    it('removes project from server', async () => {
+      fs.writeFileSync(vpsJsonPath, JSON.stringify({
+        servers: [{
+          id: 'abc', name: 'dev-1', host: '1.2.3.4', port: 22,
+          username: 'deploy', assignedProjects: ['proj1', 'proj2'],
+        }],
+      }));
+      const res = await request(app).post('/vps/servers/abc/unassign').send({ projectId: 'proj1' });
+      expect(res.status).toBe(200);
+      expect(res.body.assignedProjects).not.toContain('proj1');
+      expect(res.body.assignedProjects).toContain('proj2');
+    });
+  });
+
+  describe('GET /vps/pool', () => {
+    it('returns only pool servers', async () => {
+      fs.writeFileSync(vpsJsonPath, JSON.stringify({
+        servers: [
+          { id: '1', name: 'shared', host: '1.1.1.1', port: 22, username: 'deploy', pool: true },
+          { id: '2', name: 'dedicated', host: '2.2.2.2', port: 22, username: 'deploy', pool: false },
+        ],
+      }));
+      const res = await request(app).get('/vps/pool');
+      expect(res.status).toBe(200);
+      expect(res.body).toHaveLength(1);
+      expect(res.body[0].name).toBe('shared');
+    });
+  });
+});

package/server/lib/vps-bootstrap.js

@@ -0,0 +1,124 @@
+/**
+ * VPS Bootstrap — idempotent server setup via SSH
+ * Phase 80 Task 5
+ */
+
+const { isValidUsername } = require('./input-sanitizer.js');
+
+/**
+ * Generate idempotent bootstrap bash script
+ * @param {Object} options
+ * @param {string} [options.deployUser=deploy] - Deploy user to create
+ * @returns {string} Bash script
+ */
+function generateBootstrapScript(options = {}) {
+  const deployUser = options.deployUser || 'deploy';
+  if (!isValidUsername(deployUser)) throw new Error(`Invalid deploy user: ${deployUser}`);
+
+  return `#!/bin/bash
+set -e
+
+echo "=== TLC VPS Bootstrap ==="
+echo "Date: $(date)"
+
+# Step 1: Update packages
+echo "[1/7] Updating packages..."
+apt-get update -y && apt-get upgrade -y
+
+# Step 2: Install Docker (idempotent)
+echo "[2/7] Installing Docker..."
+if command -v docker &>/dev/null; then
+  echo "  Docker already installed: $(docker --version)"
+else
+  curl -fsSL https://get.docker.com | sh
+  systemctl enable docker
+  systemctl start docker
+  echo "  Docker installed: $(docker --version)"
+fi
+
+# Install Docker Compose plugin
+if docker compose version &>/dev/null; then
+  echo "  Docker Compose already installed"
+else
+  apt-get install -y docker-compose-plugin
+fi
+
+# Step 3: Install Nginx (idempotent)
+echo "[3/7] Installing Nginx..."
+if command -v nginx &>/dev/null; then
+  echo "  Nginx already installed: $(nginx -v 2>&1)"
+else
+  apt-get install -y nginx
+  systemctl enable nginx
+  systemctl start nginx
+  echo "  Nginx installed"
+fi
+
+# Step 4: Install Certbot (idempotent)
+echo "[4/7] Installing Certbot..."
+if command -v certbot &>/dev/null; then
+  echo "  Certbot already installed: $(certbot --version 2>&1)"
+else
+  apt-get install -y certbot python3-certbot-nginx
+  echo "  Certbot installed"
+fi
+
+# Step 5: Configure UFW firewall
+echo "[5/7] Configuring firewall..."
+apt-get install -y ufw
+ufw default deny incoming
+ufw default allow outgoing
+ufw allow 22/tcp
+ufw allow 80/tcp
+ufw allow 443/tcp
+echo "y" | ufw enable
+echo "  Firewall configured (22, 80, 443)"
+
+# Step 6: Create deploy user (idempotent)
+echo "[6/7] Setting up deploy user..."
+if id "${deployUser}" &>/dev/null; then
+  echo "  User ${deployUser} already exists"
+else
+  useradd -m -s /bin/bash ${deployUser}
+  usermod -aG docker ${deployUser}
+  mkdir -p /home/${deployUser}/.ssh
+  chmod 700 /home/${deployUser}/.ssh
+  # Copy authorized keys from root if available
+  if [ -f /root/.ssh/authorized_keys ]; then
+    cp /root/.ssh/authorized_keys /home/${deployUser}/.ssh/
+    chown -R ${deployUser}:${deployUser} /home/${deployUser}/.ssh
+    chmod 600 /home/${deployUser}/.ssh/authorized_keys
+  fi
+  echo "  User ${deployUser} created and added to docker group"
+fi
+
+# Step 7: Create deployment directories
+echo "[7/7] Setting up deployment directories..."
+mkdir -p /opt/deploys
+chown ${deployUser}:${deployUser} /opt/deploys
+
+echo ""
+echo "=== Bootstrap Complete ==="
+echo "Docker: $(docker --version 2>/dev/null || echo 'not installed')"
+echo "Nginx:  $(nginx -v 2>&1 || echo 'not installed')"
+echo "Certbot: $(certbot --version 2>&1 || echo 'not installed')"
+echo "UFW:    $(ufw status | head -1)"
+echo "User:   ${deployUser}"
+`;
+}
+
+/**
+ * Parse bootstrap status from SSH command outputs
+ * @param {Object} output - { docker, nginx, certbot, ufw }
+ * @returns {Object} { docker, nginx, certbot, firewall }
+ */
+function checkBootstrapStatus(output) {
+  return {
+    docker: !!(output.docker && !output.docker.includes('not found') && output.docker.includes('version')),
+    nginx: !!(output.nginx && !output.nginx.includes('not found') && output.nginx.match(/nginx/i)),
+    certbot: !!(output.certbot && !output.certbot.includes('not found') && output.certbot.match(/certbot/i)),
+    firewall: !!(output.ufw && output.ufw.includes('active') && !output.ufw.includes('inactive')),
+  };
+}
+
+module.exports = { generateBootstrapScript, checkBootstrapStatus };

package/server/lib/vps-bootstrap.test.js

@@ -0,0 +1,79 @@
+import { describe, it, expect } from 'vitest';
+
+const { generateBootstrapScript, checkBootstrapStatus } = await import('./vps-bootstrap.js');
+
+describe('VPS Bootstrap', () => {
+  describe('generateBootstrapScript', () => {
+    it('returns a valid bash script', () => {
+      const script = generateBootstrapScript({ deployUser: 'deploy' });
+      expect(script).toContain('#!/bin/bash');
+    });
+
+    it('includes Docker install step', () => {
+      const script = generateBootstrapScript({});
+      expect(script).toContain('docker');
+      expect(script).toMatch(/get.docker.com|install.*docker/i);
+    });
+
+    it('includes Nginx install step', () => {
+      const script = generateBootstrapScript({});
+      expect(script).toContain('nginx');
+      expect(script).toMatch(/apt.*install.*nginx|install.*nginx/i);
+    });
+
+    it('includes UFW firewall config (ports 22, 80, 443)', () => {
+      const script = generateBootstrapScript({});
+      expect(script).toContain('ufw');
+      expect(script).toContain('22');
+      expect(script).toContain('80');
+      expect(script).toContain('443');
+    });
+
+    it('includes Certbot install for SSL', () => {
+      const script = generateBootstrapScript({});
+      expect(script).toContain('certbot');
+    });
+
+    it('creates deploy user when specified', () => {
+      const script = generateBootstrapScript({ deployUser: 'deploy' });
+      expect(script).toContain('deploy');
+      expect(script).toMatch(/useradd|adduser/);
+    });
+
+    it('is idempotent (checks before installing)', () => {
+      const script = generateBootstrapScript({});
+      // Should check if Docker already installed
+      expect(script).toMatch(/which docker|command -v docker|docker.*--version/);
+    });
+  });
+
+  describe('checkBootstrapStatus', () => {
+    it('parses installed components from SSH output', () => {
+      const output = {
+        docker: 'Docker version 24.0.0, build abc123',
+        nginx: 'nginx/1.22.1',
+        certbot: 'certbot 2.0.0',
+        ufw: 'Status: active',
+      };
+      const status = checkBootstrapStatus(output);
+      expect(status.docker).toBe(true);
+      expect(status.nginx).toBe(true);
+      expect(status.certbot).toBe(true);
+      expect(status.firewall).toBe(true);
+    });
+
+    it('detects missing components', () => {
+      const output = {
+        docker: 'command not found',
+        nginx: 'command not found',
+        certbot: 'command not found',
+        ufw: 'Status: inactive',
+      };
+      const status = checkBootstrapStatus(output);
+      expect(status.docker).toBe(false);
+      expect(status.nginx).toBe(false);
+      expect(status.certbot).toBe(false);
+      expect(status.firewall).toBe(false);
+    });
+  });
+});

package/server/lib/vps-monitor.js

@@ -0,0 +1,126 @@
+/**
+ * VPS Monitor — server metrics collection and alerting
+ * Phase 80 Task 9
+ */
+
+const { isValidDomain } = require('./input-sanitizer.js');
+
+/**
+ * Create VPS monitor
+ * @param {Object} options
+ * @param {Object} options.sshClient - SSH client instance
+ * @returns {Object} VPS monitor API
+ */
+function createVpsMonitor({ sshClient }) {
+
+  /**
+   * Collect server metrics via SSH
+   * @param {Object} sshConfig
+   * @returns {Promise<Object>} metrics
+   */
+  async function getServerMetrics(sshConfig) {
+    const [dfResult, freeResult, cpuResult, uptimeResult, dockerResult] = await Promise.all([
+      sshClient.exec(sshConfig, "df -h / | tail -1"),
+      sshClient.exec(sshConfig, "free -k | head -2"),
+      sshClient.exec(sshConfig, "cat /proc/stat | head -1"),
+      sshClient.exec(sshConfig, "uptime"),
+      sshClient.exec(sshConfig, "docker ps --format json 2>/dev/null || echo '[]'"),
+    ]);
+
+    // Parse disk
+    const dfParts = dfResult.stdout.trim().split(/\s+/);
+    const diskPercent = parseInt((dfParts[4] || '0').replace('%', ''), 10);
+
+    // Parse memory
+    const memLines = freeResult.stdout.trim().split('\n');
+    const memParts = (memLines[1] || '').trim().split(/\s+/);
+    const totalKb = parseInt(memParts[1] || '0', 10);
+    const usedKb = parseInt(memParts[2] || '0', 10);
+
+    // Parse CPU
+    const cpuParts = cpuResult.stdout.trim().split(/\s+/).slice(1).map(Number);
+    const cpuTotal = cpuParts.reduce((a, b) => a + b, 0);
+    const cpuIdle = cpuParts[3] || 0;
+    const cpuPercent = cpuTotal > 0 ? Math.round(((cpuTotal - cpuIdle) / cpuTotal) * 100) : 0;
+
+    // Parse containers
+    let containers = [];
+    try {
+      const dockerOut = dockerResult.stdout.trim();
+      if (dockerOut.startsWith('[')) {
+        containers = JSON.parse(dockerOut);
+      } else if (dockerOut.startsWith('{')) {
+        containers = dockerOut.split('\n').filter(Boolean).map(l => JSON.parse(l));
+      }
+    } catch {}
+
+    return {
+      disk: { usedPercent: diskPercent, raw: dfResult.stdout.trim() },
+      memory: { totalKb, usedKb, usedPercent: totalKb > 0 ? Math.round((usedKb / totalKb) * 100) : 0 },
+      cpu: { usedPercent: cpuPercent },
+      uptime: uptimeResult.stdout.trim(),
+      containers: containers.map(c => ({
+        name: c.Names || c.name || '',
+        state: c.State || c.state || 'unknown',
+        status: c.Status || c.status || '',
+      })),
+      timestamp: new Date().toISOString(),
+    };
+  }
+
+  /**
+   * Check for alert conditions
+   * @param {Object} metrics
+   * @returns {Array} alerts
+   */
+  function checkAlerts(metrics) {
+    const alerts = [];
+
+    // Disk alerts
+    if (metrics.disk && metrics.disk.usedPercent > 90) {
+      alerts.push({ type: 'disk', level: 'critical', message: `Disk ${metrics.disk.usedPercent}% full` });
+    } else if (metrics.disk && metrics.disk.usedPercent > 80) {
+      alerts.push({ type: 'disk', level: 'warning', message: `Disk ${metrics.disk.usedPercent}% full` });
+    }
+
+    // Memory alerts
+    if (metrics.memory && metrics.memory.usedPercent > 90) {
+      alerts.push({ type: 'memory', level: 'warning', message: `Memory ${metrics.memory.usedPercent}% used` });
+    }
+
+    // Container alerts
+    if (metrics.containers) {
+      for (const c of metrics.containers) {
+        if (c.state === 'exited' && c.exitCode !== undefined && c.exitCode !== 0) {
+          alerts.push({ type: 'container', level: 'critical', message: `Container ${c.name} crashed (exit code ${c.exitCode})` });
+        }
+      }
+    }
+
+    return alerts;
+  }
+
+  /**
+   * Check SSL certificate expiry
+   * @param {Object} sshConfig
+   * @param {string} domain
+   * @returns {Promise<Object>}
+   */
+  async function checkSslExpiry(sshConfig, domain) {
+    if (!isValidDomain(domain)) throw new Error(`Invalid domain: ${domain}`);
+    const result = await sshClient.exec(
+      sshConfig,
+      `openssl x509 -enddate -noout -in /etc/letsencrypt/live/${domain}/fullchain.pem 2>/dev/null || echo "not found"`
+    );
+
+    const match = result.stdout.match(/notAfter=(.+)/);
+    const expiresAt = match ? match[1].trim() : null;
+    const daysLeft = expiresAt ? Math.floor((new Date(expiresAt) - new Date()) / 86400000) : null;
+
+    return { domain, expiresAt, daysLeft, warning: daysLeft !== null && daysLeft < 14 };
+  }
+
+  return { getServerMetrics, checkAlerts, checkSslExpiry };
+}
+
+module.exports = { createVpsMonitor };

package/server/lib/vps-monitor.test.js

@@ -0,0 +1,98 @@
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+
+const { createVpsMonitor } = await import('./vps-monitor.js');
+
+function createMockSsh() {
+  return {
+    exec: vi.fn().mockResolvedValue({ stdout: '', stderr: '', exitCode: 0 }),
+  };
+}
+
+describe('VPS Monitor', () => {
+  let monitor;
+  let mockSsh;
+
+  beforeEach(() => {
+    mockSsh = createMockSsh();
+    monitor = createVpsMonitor({ sshClient: mockSsh });
+  });
+
+  describe('getServerMetrics', () => {
+    it('parses disk usage from df output', async () => {
+      mockSsh.exec.mockImplementation(async (config, cmd) => {
+        if (cmd.includes('df')) return { stdout: '/dev/sda1 50G 20G 28G 42% /', stderr: '', exitCode: 0 };
+        if (cmd.includes('free')) return { stdout: '              total        used        free\nMem:        8000000     4000000     3000000', stderr: '', exitCode: 0 };
+        if (cmd.includes('nproc')) return { stdout: '4', stderr: '', exitCode: 0 };
+        if (cmd.includes('/proc/stat')) return { stdout: 'cpu  1000 200 300 7000 100 0 0 0', stderr: '', exitCode: 0 };
+        if (cmd.includes('uptime')) return { stdout: ' 12:00:00 up 30 days', stderr: '', exitCode: 0 };
+        if (cmd.includes('docker')) return { stdout: '[]', stderr: '', exitCode: 0 };
+        return { stdout: '', stderr: '', exitCode: 0 };
+      });
+
+      const metrics = await monitor.getServerMetrics({ host: '1.2.3.4', username: 'deploy' });
+      expect(metrics.disk).toBeDefined();
+      expect(metrics.disk.usedPercent).toBe(42);
+    });
+
+    it('parses memory from free output', async () => {
+      mockSsh.exec.mockImplementation(async (config, cmd) => {
+        if (cmd.includes('df')) return { stdout: '/dev/sda1 50G 20G 28G 42% /', stderr: '', exitCode: 0 };
+        if (cmd.includes('free')) return { stdout: '              total        used        free\nMem:        8000000     4000000     3000000', stderr: '', exitCode: 0 };
+        if (cmd.includes('nproc')) return { stdout: '4', stderr: '', exitCode: 0 };
+        if (cmd.includes('/proc/stat')) return { stdout: 'cpu  1000 200 300 7000 100 0 0 0', stderr: '', exitCode: 0 };
+        if (cmd.includes('uptime')) return { stdout: ' 12:00:00 up 30 days', stderr: '', exitCode: 0 };
+        if (cmd.includes('docker')) return { stdout: '[]', stderr: '', exitCode: 0 };
+        return { stdout: '', stderr: '', exitCode: 0 };
+      });
+
+      const metrics = await monitor.getServerMetrics({ host: '1.2.3.4', username: 'deploy' });
+      expect(metrics.memory).toBeDefined();
+      expect(metrics.memory.totalKb).toBe(8000000);
+      expect(metrics.memory.usedKb).toBe(4000000);
+    });
+  });
+
+  describe('checkAlerts', () => {
+    it('returns warning for disk > 80%', () => {
+      const alerts = monitor.checkAlerts({ disk: { usedPercent: 85 }, memory: { usedPercent: 50 }, containers: [] });
+      expect(alerts.some(a => a.level === 'warning' && a.type === 'disk')).toBe(true);
+    });
+
+    it('returns critical for disk > 90%', () => {
+      const alerts = monitor.checkAlerts({ disk: { usedPercent: 95 }, memory: { usedPercent: 50 }, containers: [] });
+      expect(alerts.some(a => a.level === 'critical' && a.type === 'disk')).toBe(true);
+    });
+
+    it('returns alert for crashed container', () => {
+      const alerts = monitor.checkAlerts({
+        disk: { usedPercent: 30 },
+        memory: { usedPercent: 50 },
+        containers: [{ name: 'myapp', state: 'exited', exitCode: 1 }],
+      });
+      expect(alerts.some(a => a.type === 'container')).toBe(true);
+    });
+
+    it('returns no alerts when everything is healthy', () => {
+      const alerts = monitor.checkAlerts({
+        disk: { usedPercent: 30 },
+        memory: { usedPercent: 50 },
+        containers: [{ name: 'myapp', state: 'running', exitCode: 0 }],
+      });
+      expect(alerts).toHaveLength(0);
+    });
+  });
+
+  describe('checkSslExpiry', () => {
+    it('parses cert expiry date', async () => {
+      mockSsh.exec.mockResolvedValue({
+        stdout: 'notAfter=Mar 15 00:00:00 2026 GMT',
+        stderr: '',
+        exitCode: 0,
+      });
+
+      const expiry = await monitor.checkSslExpiry({ host: '1.2.3.4', username: 'deploy' }, 'myapp.dev');
+      expect(expiry.domain).toBe('myapp.dev');
+      expect(expiry.expiresAt).toBeTruthy();
+    });
+  });
+});