npm - @clef-sh/agent - Versions diffs - 0.1.11-beta.62 → 0.1.11-beta.68 - Mend

@clef-sh/agent 0.1.11-beta.62 → 0.1.11-beta.68

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/agent.cjs CHANGED Viewed

@@ -44607,22 +44607,22 @@ var require_crypto2 = __commonJS({
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.NodeCrypto = void 0;
-    var crypto17 = require("crypto");
+    var crypto18 = require("crypto");
     var NodeCrypto = class {
       async sha256DigestBase64(str) {
-        return crypto17.createHash("sha256").update(str).digest("base64");
+        return crypto18.createHash("sha256").update(str).digest("base64");
       }
       randomBytesBase64(count) {
-        return crypto17.randomBytes(count).toString("base64");
+        return crypto18.randomBytes(count).toString("base64");
       }
       async verify(pubkey, data, signature) {
-        const verifier = crypto17.createVerify("RSA-SHA256");
+        const verifier = crypto18.createVerify("RSA-SHA256");
         verifier.update(data);
         verifier.end();
         return verifier.verify(pubkey, signature, "base64");
       }
       async sign(privateKey, data) {
-        const signer = crypto17.createSign("RSA-SHA256");
+        const signer = crypto18.createSign("RSA-SHA256");
         signer.update(data);
         signer.end();
         return signer.sign(privateKey, "base64");
@@ -44640,7 +44640,7 @@ var require_crypto2 = __commonJS({
        *   string in hexadecimal encoding.
        */
       async sha256DigestHex(str) {
-        return crypto17.createHash("sha256").update(str).digest("hex");
+        return crypto18.createHash("sha256").update(str).digest("hex");
       }
       /**
        * Computes the HMAC hash of a message using the provided crypto key and the
@@ -44652,7 +44652,7 @@ var require_crypto2 = __commonJS({
        */
       async signWithHmacSha256(key, msg) {
         const cryptoKey = typeof key === "string" ? key : toBuffer(key);
-        return toArrayBuffer(crypto17.createHmac("sha256", cryptoKey).update(msg).digest());
+        return toArrayBuffer(crypto18.createHmac("sha256", cryptoKey).update(msg).digest());
       }
     };
     exports2.NodeCrypto = NodeCrypto;
@@ -45430,10 +45430,10 @@ var require_oauth2client = __commonJS({
        * https://github.com/googleapis/google-auth-library-nodejs/blob/main/samples/oauth2-codeVerifier.js
        */
       async generateCodeVerifierAsync() {
-        const crypto17 = (0, crypto_1.createCrypto)();
-        const randomString = crypto17.randomBytesBase64(96);
+        const crypto18 = (0, crypto_1.createCrypto)();
+        const randomString = crypto18.randomBytesBase64(96);
         const codeVerifier = randomString.replace(/\+/g, "~").replace(/=/g, "_").replace(/\//g, "-");
-        const unencodedCodeChallenge = await crypto17.sha256DigestBase64(codeVerifier);
+        const unencodedCodeChallenge = await crypto18.sha256DigestBase64(codeVerifier);
         const codeChallenge = unencodedCodeChallenge.split("=")[0].replace(/\+/g, "-").replace(/\//g, "_");
         return { codeVerifier, codeChallenge };
       }
@@ -45877,7 +45877,7 @@ var require_oauth2client = __commonJS({
        * @return Returns a promise resolving to LoginTicket on verification.
        */
       async verifySignedJwtWithCertsAsync(jwt2, certs, requiredAudience, issuers, maxExpiry) {
-        const crypto17 = (0, crypto_1.createCrypto)();
+        const crypto18 = (0, crypto_1.createCrypto)();
         if (!maxExpiry) {
           maxExpiry = _OAuth2Client.DEFAULT_MAX_TOKEN_LIFETIME_SECS_;
         }
@@ -45890,7 +45890,7 @@ var require_oauth2client = __commonJS({
         let envelope;
         let payload;
         try {
-          envelope = JSON.parse(crypto17.decodeBase64StringUtf8(segments[0]));
+          envelope = JSON.parse(crypto18.decodeBase64StringUtf8(segments[0]));
         } catch (err) {
           if (err instanceof Error) {
             err.message = `Can't parse token envelope: ${segments[0]}': ${err.message}`;
@@ -45901,7 +45901,7 @@ var require_oauth2client = __commonJS({
           throw new Error("Can't parse token envelope: " + segments[0]);
         }
         try {
-          payload = JSON.parse(crypto17.decodeBase64StringUtf8(segments[1]));
+          payload = JSON.parse(crypto18.decodeBase64StringUtf8(segments[1]));
         } catch (err) {
           if (err instanceof Error) {
             err.message = `Can't parse token payload '${segments[0]}`;
@@ -45918,7 +45918,7 @@ var require_oauth2client = __commonJS({
         if (envelope.alg === "ES256") {
           signature = formatEcdsa.joseToDer(signature, "ES256").toString("base64");
         }
-        const verified = await crypto17.verify(cert, signed, signature);
+        const verified = await crypto18.verify(cert, signed, signature);
         if (!verified) {
           throw new Error("Invalid token signature: " + jwt2);
         }
@@ -46286,14 +46286,14 @@ var require_buffer_equal_constant_time = __commonJS({
 var require_jwa = __commonJS({
   "../../node_modules/jwa/index.js"(exports2, module2) {
     var Buffer3 = require_safe_buffer().Buffer;
-    var crypto17 = require("crypto");
+    var crypto18 = require("crypto");
     var formatEcdsa = require_ecdsa_sig_formatter();
     var util2 = require("util");
     var MSG_INVALID_ALGORITHM = '"%s" is not a valid algorithm.\n  Supported algorithms are:\n  "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES384", "ES512" and "none".';
     var MSG_INVALID_SECRET = "secret must be a string or buffer";
     var MSG_INVALID_VERIFIER_KEY = "key must be a string or a buffer";
     var MSG_INVALID_SIGNER_KEY = "key must be a string, a buffer or an object";
-    var supportsKeyObjects = typeof crypto17.createPublicKey === "function";
+    var supportsKeyObjects = typeof crypto18.createPublicKey === "function";
     if (supportsKeyObjects) {
       MSG_INVALID_VERIFIER_KEY += " or a KeyObject";
       MSG_INVALID_SECRET += "or a KeyObject";
@@ -46383,17 +46383,17 @@ var require_jwa = __commonJS({
       return function sign2(thing, secret) {
         checkIsSecretKey(secret);
         thing = normalizeInput(thing);
-        var hmac = crypto17.createHmac("sha" + bits, secret);
+        var hmac = crypto18.createHmac("sha" + bits, secret);
         var sig = (hmac.update(thing), hmac.digest("base64"));
         return fromBase64(sig);
       };
     }
     var bufferEqual;
-    var timingSafeEqual2 = "timingSafeEqual" in crypto17 ? function timingSafeEqual3(a, b) {
+    var timingSafeEqual2 = "timingSafeEqual" in crypto18 ? function timingSafeEqual3(a, b) {
       if (a.byteLength !== b.byteLength) {
         return false;
       }
-      return crypto17.timingSafeEqual(a, b);
+      return crypto18.timingSafeEqual(a, b);
     } : function timingSafeEqual3(a, b) {
       if (!bufferEqual) {
         bufferEqual = require_buffer_equal_constant_time();
@@ -46410,7 +46410,7 @@ var require_jwa = __commonJS({
       return function sign2(thing, privateKey) {
         checkIsPrivateKey(privateKey);
         thing = normalizeInput(thing);
-        var signer = crypto17.createSign("RSA-SHA" + bits);
+        var signer = crypto18.createSign("RSA-SHA" + bits);
         var sig = (signer.update(thing), signer.sign(privateKey, "base64"));
         return fromBase64(sig);
       };
@@ -46420,7 +46420,7 @@ var require_jwa = __commonJS({
         checkIsPublicKey(publicKey);
         thing = normalizeInput(thing);
         signature = toBase64(signature);
-        var verifier = crypto17.createVerify("RSA-SHA" + bits);
+        var verifier = crypto18.createVerify("RSA-SHA" + bits);
         verifier.update(thing);
         return verifier.verify(publicKey, signature, "base64");
       };
@@ -46429,11 +46429,11 @@ var require_jwa = __commonJS({
       return function sign2(thing, privateKey) {
         checkIsPrivateKey(privateKey);
         thing = normalizeInput(thing);
-        var signer = crypto17.createSign("RSA-SHA" + bits);
+        var signer = crypto18.createSign("RSA-SHA" + bits);
         var sig = (signer.update(thing), signer.sign({
           key: privateKey,
-          padding: crypto17.constants.RSA_PKCS1_PSS_PADDING,
-          saltLength: crypto17.constants.RSA_PSS_SALTLEN_DIGEST
+          padding: crypto18.constants.RSA_PKCS1_PSS_PADDING,
+          saltLength: crypto18.constants.RSA_PSS_SALTLEN_DIGEST
         }, "base64"));
         return fromBase64(sig);
       };
@@ -46443,12 +46443,12 @@ var require_jwa = __commonJS({
         checkIsPublicKey(publicKey);
         thing = normalizeInput(thing);
         signature = toBase64(signature);
-        var verifier = crypto17.createVerify("RSA-SHA" + bits);
+        var verifier = crypto18.createVerify("RSA-SHA" + bits);
         verifier.update(thing);
         return verifier.verify({
           key: publicKey,
-          padding: crypto17.constants.RSA_PKCS1_PSS_PADDING,
-          saltLength: crypto17.constants.RSA_PSS_SALTLEN_DIGEST
+          padding: crypto18.constants.RSA_PKCS1_PSS_PADDING,
+          saltLength: crypto18.constants.RSA_PSS_SALTLEN_DIGEST
         }, signature, "base64");
       };
     }
@@ -48606,14 +48606,14 @@ var require_awsrequestsigner = __commonJS({
       }
     };
     exports2.AwsRequestSigner = AwsRequestSigner;
-    async function sign2(crypto17, key, msg) {
-      return await crypto17.signWithHmacSha256(key, msg);
-    }
-    async function getSigningKey(crypto17, key, dateStamp, region, serviceName) {
-      const kDate = await sign2(crypto17, `AWS4${key}`, dateStamp);
-      const kRegion = await sign2(crypto17, kDate, region);
-      const kService = await sign2(crypto17, kRegion, serviceName);
-      const kSigning = await sign2(crypto17, kService, "aws4_request");
+    async function sign2(crypto18, key, msg) {
+      return await crypto18.signWithHmacSha256(key, msg);
+    }
+    async function getSigningKey(crypto18, key, dateStamp, region, serviceName) {
+      const kDate = await sign2(crypto18, `AWS4${key}`, dateStamp);
+      const kRegion = await sign2(crypto18, kDate, region);
+      const kService = await sign2(crypto18, kRegion, serviceName);
+      const kSigning = await sign2(crypto18, kService, "aws4_request");
       return kSigning;
     }
     async function generateAuthenticationHeaderMap(options) {
@@ -50198,24 +50198,24 @@ var require_googleauth = __commonJS({
           const signed = await client.sign(data);
           return signed.signedBlob;
         }
-        const crypto17 = (0, crypto_1.createCrypto)();
+        const crypto18 = (0, crypto_1.createCrypto)();
         if (client instanceof jwtclient_1.JWT && client.key) {
-          const sign2 = await crypto17.sign(client.key, data);
+          const sign2 = await crypto18.sign(client.key, data);
           return sign2;
         }
         const creds = await this.getCredentials();
         if (!creds.client_email) {
           throw new Error("Cannot sign data without `client_email`.");
         }
-        return this.signBlob(crypto17, creds.client_email, data, endpoint);
+        return this.signBlob(crypto18, creds.client_email, data, endpoint);
       }
-      async signBlob(crypto17, emailOrUniqueId, data, endpoint) {
+      async signBlob(crypto18, emailOrUniqueId, data, endpoint) {
         const url = new URL(endpoint + `${emailOrUniqueId}:signBlob`);
         const res = await this.request({
           method: "POST",
           url: url.href,
           data: {
-            payload: crypto17.encodeBase64StringUtf8(data)
+            payload: crypto18.encodeBase64StringUtf8(data)
           },
           retry: true,
           retryConfig: {
@@ -50632,7 +50632,7 @@ var require_src10 = __commonJS({
 var require_object_hash = __commonJS({
   "../../node_modules/object-hash/index.js"(exports2, module2) {
     "use strict";
-    var crypto17 = require("crypto");
+    var crypto18 = require("crypto");
     exports2 = module2.exports = objectHash;
     function objectHash(object, options) {
       options = applyDefaults(object, options);
@@ -50650,7 +50650,7 @@ var require_object_hash = __commonJS({
     exports2.keysMD5 = function(object) {
       return objectHash(object, { algorithm: "md5", encoding: "hex", excludeValues: true });
     };
-    var hashes = crypto17.getHashes ? crypto17.getHashes().slice() : ["sha1", "md5"];
+    var hashes = crypto18.getHashes ? crypto18.getHashes().slice() : ["sha1", "md5"];
     hashes.push("passthrough");
     var encodings = ["buffer", "hex", "binary", "base64"];
     function applyDefaults(object, sourceOptions) {
@@ -50696,7 +50696,7 @@ var require_object_hash = __commonJS({
     function hash(object, options) {
       var hashingStream;
       if (options.algorithm !== "passthrough") {
-        hashingStream = crypto17.createHash(options.algorithm);
+        hashingStream = crypto18.createHash(options.algorithm);
       } else {
         hashingStream = new PassThrough();
       }
@@ -150124,14 +150124,14 @@ var require_etag = __commonJS({
   "../../node_modules/etag/index.js"(exports2, module2) {
     "use strict";
     module2.exports = etag;
-    var crypto17 = require("crypto");
+    var crypto18 = require("crypto");
     var Stats = require("fs").Stats;
     var toString = Object.prototype.toString;
     function entitytag(entity) {
       if (entity.length === 0) {
         return '"0-2jmj7l5rSw0yVb/vlWAYkK/YBwk"';
       }
-      var hash = crypto17.createHash("sha1").update(entity, "utf8").digest("base64").substring(0, 27);
+      var hash = crypto18.createHash("sha1").update(entity, "utf8").digest("base64").substring(0, 27);
       var len = typeof entity === "string" ? Buffer.byteLength(entity, "utf8") : entity.length;
       return '"' + len.toString(16) + "-" + hash + '"';
     }
@@ -172492,17 +172492,17 @@ var require_content_disposition = __commonJS({
 // ../../node_modules/cookie-signature/index.js
 var require_cookie_signature = __commonJS({
   "../../node_modules/cookie-signature/index.js"(exports2) {
-    var crypto17 = require("crypto");
+    var crypto18 = require("crypto");
     exports2.sign = function(val, secret) {
       if ("string" != typeof val) throw new TypeError("Cookie value must be provided as a string.");
       if (null == secret) throw new TypeError("Secret key must be provided.");
-      return val + "." + crypto17.createHmac("sha256", secret).update(val).digest("base64").replace(/\=+$/, "");
+      return val + "." + crypto18.createHmac("sha256", secret).update(val).digest("base64").replace(/\=+$/, "");
     };
     exports2.unsign = function(input, secret) {
       if ("string" != typeof input) throw new TypeError("Signed cookie string must be provided.");
       if (null == secret) throw new TypeError("Secret key must be provided.");
       var tentativeValue = input.slice(0, input.lastIndexOf(".")), expectedInput = exports2.sign(tentativeValue, secret), expectedBuffer = Buffer.from(expectedInput), inputBuffer = Buffer.from(input);
-      return expectedBuffer.length === inputBuffer.length && crypto17.timingSafeEqual(expectedBuffer, inputBuffer) ? tentativeValue : false;
+      return expectedBuffer.length === inputBuffer.length && crypto18.timingSafeEqual(expectedBuffer, inputBuffer) ? tentativeValue : false;
     };
   }
 });
@@ -183802,7 +183802,7 @@ var ArtifactDecryptor = class {
     } finally {
       plaintext = "";
     }
-    return { values, keys: artifact.keys, revision: artifact.revision };
+    return { values, keys: Object.keys(values), revision: artifact.revision };
   }
   /** KMS envelope: unwrap DEK via KMS, then AES-256-GCM decrypt. */
   async decryptKmsEnvelope(artifact) {
@@ -183859,14 +183859,13 @@ var ArtifactDecryptor = class {
 var crypto15 = __toESM(require("crypto"));
 function buildSigningPayload(artifact) {
   const fields = [
-    "clef-sig-v2",
+    "clef-sig-v3",
     String(artifact.version),
     artifact.identity,
     artifact.environment,
     artifact.revision,
     artifact.packedAt,
     artifact.ciphertextHash,
-    [...artifact.keys].sort().join(","),
     artifact.expiresAt ?? "",
     artifact.envelope?.provider ?? "",
     artifact.envelope?.keyId ?? "",
@@ -183950,7 +183949,6 @@ var ArtifactPoller = class {
     this.options.onRefresh?.(artifact.revision);
     this.telemetry?.artifactRefreshed({
       revision: artifact.revision,
-      keyCount: artifact.keys.length,
       kmsEnvelope: !!artifact.envelope
     });
   }
@@ -184113,14 +184111,15 @@ var ArtifactPoller = class {
     const artifact = this.validateArtifact(parsed);
     if (artifact.revision === this.lastRevision) return;
     const { values } = await this.decryptor.decrypt(artifact);
-    this.options.cache.swap(values, artifact.keys, artifact.revision);
+    const keys = Object.keys(values);
+    this.options.cache.swap(values, keys, artifact.revision);
     this.lastRevision = artifact.revision;
     this.lastContentHash = contentHash ?? null;
     this.lastExpiresAt = artifact.expiresAt ?? null;
     this.options.onRefresh?.(artifact.revision);
     this.telemetry?.artifactRefreshed({
       revision: artifact.revision,
-      keyCount: artifact.keys.length,
+      keyCount: keys.length,
       kmsEnvelope: !!artifact.envelope
     });
   }
@@ -184228,10 +184227,6 @@ var EncryptedArtifactStore = class {
   getStoredAt() {
     return this._storedAt;
   }
-  /** Get key names from the stored artifact metadata (no decryption needed). */
-  getKeys() {
-    return this.artifact ? [...this.artifact.keys] : [];
-  }
   /** Get the revision from the stored artifact. */
   getRevision() {
     return this.artifact?.revision ?? null;
@@ -184594,6 +184589,176 @@ var VcsArtifactSource = class {
   }
 };
+// ../runtime/src/sources/s3.ts
+var crypto17 = __toESM(require("crypto"));
+function isS3Url(url) {
+  return parseS3UrlSafe(url) !== null;
+}
+function parseS3Url(url) {
+  const loc = parseS3UrlSafe(url);
+  if (!loc) throw new Error(`Not a valid S3 URL: ${url}`);
+  return loc;
+}
+function parseS3UrlSafe(url) {
+  let u;
+  try {
+    u = new URL(url);
+  } catch {
+    return null;
+  }
+  if (u.protocol !== "https:") return null;
+  const host = u.hostname;
+  const key = u.pathname.slice(1);
+  if (!key) return null;
+  const vhMatch = host.match(/^(.+)\.s3\.([a-z0-9-]+)\.amazonaws\.com$/) ?? host.match(/^(.+)\.s3\.amazonaws\.com$/);
+  if (vhMatch) {
+    return { bucket: vhMatch[1], key, region: vhMatch[2] || "us-east-1" };
+  }
+  const psMatch = host.match(/^s3\.([a-z0-9-]+)\.amazonaws\.com$/) ?? host.match(/^s3\.amazonaws\.com$/);
+  if (psMatch) {
+    const slashIdx = key.indexOf("/");
+    if (slashIdx < 0) return null;
+    return {
+      bucket: key.slice(0, slashIdx),
+      key: key.slice(slashIdx + 1),
+      region: psMatch[1] || "us-east-1"
+    };
+  }
+  return null;
+}
+var S3ArtifactSource = class {
+  url;
+  location;
+  cachedCredentials = null;
+  constructor(url) {
+    this.url = url;
+    this.location = parseS3Url(url);
+  }
+  async fetch() {
+    const creds = await this.resolveCredentials();
+    const { bucket, key, region } = this.location;
+    const host = `${bucket}.s3.${region}.amazonaws.com`;
+    const path4 = `/${encodeS3Key(key)}`;
+    const now = /* @__PURE__ */ new Date();
+    const headers = signS3GetRequest(host, path4, region, creds, now);
+    const res = await globalThis.fetch(`https://${host}${path4}`, { headers });
+    if (!res.ok) {
+      throw new Error(
+        `Failed to fetch artifact from ${this.describe()}: ${res.status} ${res.statusText}`
+      );
+    }
+    const raw = await res.text();
+    const etag = res.headers.get("etag") ?? void 0;
+    return { raw, contentHash: etag };
+  }
+  describe() {
+    const { bucket, key } = this.location;
+    return `S3 s3://${bucket}/${key}`;
+  }
+  async resolveCredentials() {
+    if (this.cachedCredentials && Date.now() < this.cachedCredentials.expiresAt - 3e5) {
+      return this.cachedCredentials.creds;
+    }
+    const relativeUri = process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI;
+    if (relativeUri) {
+      return this.fetchEcsCredentials(`http://169.254.170.2${relativeUri}`);
+    }
+    const fullUri = process.env.AWS_CONTAINER_CREDENTIALS_FULL_URI;
+    if (fullUri) {
+      return this.fetchEcsCredentials(fullUri);
+    }
+    const accessKeyId = process.env.AWS_ACCESS_KEY_ID;
+    const secretAccessKey = process.env.AWS_SECRET_ACCESS_KEY;
+    if (accessKeyId && secretAccessKey) {
+      return {
+        accessKeyId,
+        secretAccessKey,
+        sessionToken: process.env.AWS_SESSION_TOKEN
+      };
+    }
+    throw new Error(
+      "No AWS credentials found. Set AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, or run in ECS/Fargate with a task role."
+    );
+  }
+  async fetchEcsCredentials(endpoint) {
+    const headers = {};
+    const authToken = process.env.AWS_CONTAINER_AUTHORIZATION_TOKEN;
+    if (authToken) {
+      headers["Authorization"] = authToken;
+    }
+    const res = await globalThis.fetch(endpoint, { headers });
+    if (!res.ok) {
+      throw new Error(`Failed to fetch ECS credentials: ${res.status} ${res.statusText}`);
+    }
+    const data = await res.json();
+    const creds = {
+      accessKeyId: data.AccessKeyId,
+      secretAccessKey: data.SecretAccessKey,
+      sessionToken: data.Token
+    };
+    if (data.Expiration) {
+      this.cachedCredentials = {
+        creds,
+        expiresAt: new Date(data.Expiration).getTime()
+      };
+    }
+    return creds;
+  }
+};
+function hmacSha256(key, data) {
+  return crypto17.createHmac("sha256", key).update(data, "utf-8").digest();
+}
+function sha256Hex(data) {
+  return crypto17.createHash("sha256").update(data, "utf-8").digest("hex");
+}
+function toAmzDate(date) {
+  return date.toISOString().replace(/[-:]/g, "").replace(/\.\d{3}/, "");
+}
+function toDateStamp(date) {
+  return toAmzDate(date).slice(0, 8);
+}
+function encodeS3Key(key) {
+  return key.split("/").map((s) => encodeURIComponent(s)).join("/");
+}
+function signS3GetRequest(host, path4, region, creds, now) {
+  const amzDate = toAmzDate(now);
+  const dateStamp = toDateStamp(now);
+  const service = "s3";
+  const scope = `${dateStamp}/${region}/${service}/aws4_request`;
+  const headers = {
+    host,
+    "x-amz-date": amzDate,
+    "x-amz-content-sha256": "UNSIGNED-PAYLOAD"
+  };
+  if (creds.sessionToken) {
+    headers["x-amz-security-token"] = creds.sessionToken;
+  }
+  const signedHeaderKeys = Object.keys(headers).sort();
+  const signedHeaders = signedHeaderKeys.join(";");
+  const canonicalHeaders = signedHeaderKeys.map((k) => `${k}:${headers[k]}
+`).join("");
+  const canonicalRequest = [
+    "GET",
+    path4,
+    "",
+    // no query string
+    canonicalHeaders,
+    signedHeaders,
+    "UNSIGNED-PAYLOAD"
+  ].join("\n");
+  const stringToSign = ["AWS4-HMAC-SHA256", amzDate, scope, sha256Hex(canonicalRequest)].join("\n");
+  const kDate = hmacSha256(`AWS4${creds.secretAccessKey}`, dateStamp);
+  const kRegion = hmacSha256(kDate, region);
+  const kService = hmacSha256(kRegion, service);
+  const kSigning = hmacSha256(kService, "aws4_request");
+  const signature = hmacSha256(kSigning, stringToSign).toString("hex");
+  const authorization = `AWS4-HMAC-SHA256 Credential=${creds.accessKeyId}/${scope}, SignedHeaders=${signedHeaders}, Signature=${signature}`;
+  return {
+    ...headers,
+    Authorization: authorization
+  };
+}
 // src/server.ts
 var import_crypto16 = require("crypto");
 var import_express = __toESM(require_express2());
@@ -184702,9 +184867,20 @@ function startAgentServer(options) {
       res.json(all);
     }
   });
-  app.get("/v1/keys", (_req, res) => {
+  app.get("/v1/keys", async (_req, res) => {
     if (jitMode) {
-      res.json(encryptedStore.getKeys());
+      const artifact = encryptedStore.get();
+      if (!artifact) {
+        res.status(503).json({ error: "Secrets not yet loaded" });
+        return;
+      }
+      try {
+        const { values } = await decryptor.decrypt(artifact);
+        res.json(Object.keys(values));
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        res.status(503).json({ error: "Decryption failed", detail: message });
+      }
     } else {
       res.json(cache.getKeys());
     }
@@ -184907,7 +185083,7 @@ async function initialFetch(poller, jitMode, encryptedStore, cache, sourceDesc)
         await poller.fetchAndValidate();
         const artifact = encryptedStore.get();
         const { values } = await poller.getDecryptor().decrypt(artifact);
-        cache.swap(values, artifact.keys, artifact.revision);
+        cache.swap(values, Object.keys(values), artifact.revision);
       } else {
         await poller.fetchAndDecrypt();
       }
@@ -184930,7 +185106,7 @@ async function initialFetch(poller, jitMode, encryptedStore, cache, sourceDesc)
 }
 // package.json
-var version5 = "0.1.11-beta.62";
+var version5 = "0.1.11-beta.68";
 // src/main.ts
 var isLambda = !!process.env.AWS_LAMBDA_RUNTIME_API;
@@ -184954,7 +185130,13 @@ async function main() {
     });
     source = new VcsArtifactSource(provider, config.vcs.identity, config.vcs.environment);
   } else if (config.source) {
-    source = config.source.startsWith("http://") || config.source.startsWith("https://") ? new HttpArtifactSource(config.source) : new FileArtifactSource(config.source);
+    if (isS3Url(config.source)) {
+      source = new S3ArtifactSource(config.source);
+    } else if (config.source.startsWith("http://") || config.source.startsWith("https://")) {
+      source = new HttpArtifactSource(config.source);
+    } else {
+      source = new FileArtifactSource(config.source);
+    }
   } else {
     throw new ConfigError("No artifact source configured.");
   }