@clef-sh/agent 0.1.11-beta.62 → 0.1.11-beta.66

package/dist/agent.cjs

@@ -183802,7 +183802,7 @@ var ArtifactDecryptor = class {
     } finally {
       plaintext = "";
     }
-    return { values, keys: artifact.keys, revision: artifact.revision };
+    return { values, keys: Object.keys(values), revision: artifact.revision };
   }
   /** KMS envelope: unwrap DEK via KMS, then AES-256-GCM decrypt. */
   async decryptKmsEnvelope(artifact) {
@@ -183859,14 +183859,13 @@ var ArtifactDecryptor = class {
 var crypto15 = __toESM(require("crypto"));
 function buildSigningPayload(artifact) {
   const fields = [
-    "clef-sig-v2",
+    "clef-sig-v3",
     String(artifact.version),
     artifact.identity,
     artifact.environment,
     artifact.revision,
     artifact.packedAt,
     artifact.ciphertextHash,
-    [...artifact.keys].sort().join(","),
     artifact.expiresAt ?? "",
     artifact.envelope?.provider ?? "",
     artifact.envelope?.keyId ?? "",
@@ -183950,7 +183949,6 @@ var ArtifactPoller = class {
     this.options.onRefresh?.(artifact.revision);
     this.telemetry?.artifactRefreshed({
       revision: artifact.revision,
-      keyCount: artifact.keys.length,
       kmsEnvelope: !!artifact.envelope
     });
   }
@@ -184113,14 +184111,15 @@ var ArtifactPoller = class {
     const artifact = this.validateArtifact(parsed);
     if (artifact.revision === this.lastRevision) return;
     const { values } = await this.decryptor.decrypt(artifact);
-    this.options.cache.swap(values, artifact.keys, artifact.revision);
+    const keys = Object.keys(values);
+    this.options.cache.swap(values, keys, artifact.revision);
     this.lastRevision = artifact.revision;
     this.lastContentHash = contentHash ?? null;
     this.lastExpiresAt = artifact.expiresAt ?? null;
     this.options.onRefresh?.(artifact.revision);
     this.telemetry?.artifactRefreshed({
       revision: artifact.revision,
-      keyCount: artifact.keys.length,
+      keyCount: keys.length,
       kmsEnvelope: !!artifact.envelope
     });
   }
@@ -184228,10 +184227,6 @@ var EncryptedArtifactStore = class {
   getStoredAt() {
     return this._storedAt;
   }
-  /** Get key names from the stored artifact metadata (no decryption needed). */
-  getKeys() {
-    return this.artifact ? [...this.artifact.keys] : [];
-  }
   /** Get the revision from the stored artifact. */
   getRevision() {
     return this.artifact?.revision ?? null;
@@ -184702,9 +184697,20 @@ function startAgentServer(options) {
       res.json(all);
     }
   });
-  app.get("/v1/keys", (_req, res) => {
+  app.get("/v1/keys", async (_req, res) => {
     if (jitMode) {
-      res.json(encryptedStore.getKeys());
+      const artifact = encryptedStore.get();
+      if (!artifact) {
+        res.status(503).json({ error: "Secrets not yet loaded" });
+        return;
+      }
+      try {
+        const { values } = await decryptor.decrypt(artifact);
+        res.json(Object.keys(values));
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        res.status(503).json({ error: "Decryption failed", detail: message });
+      }
     } else {
       res.json(cache.getKeys());
     }
@@ -184907,7 +184913,7 @@ async function initialFetch(poller, jitMode, encryptedStore, cache, sourceDesc)
         await poller.fetchAndValidate();
         const artifact = encryptedStore.get();
         const { values } = await poller.getDecryptor().decrypt(artifact);
-        cache.swap(values, artifact.keys, artifact.revision);
+        cache.swap(values, Object.keys(values), artifact.revision);
       } else {
         await poller.fetchAndDecrypt();
       }
@@ -184930,7 +184936,7 @@ async function initialFetch(poller, jitMode, encryptedStore, cache, sourceDesc)
 }
 
 // package.json
-var version5 = "0.1.11-beta.62";
+var version5 = "0.1.11-beta.66";
 
 // src/main.ts
 var isLambda = !!process.env.AWS_LAMBDA_RUNTIME_API;