@clef-sh/agent 0.1.8-beta.52 → 0.1.9-beta.57

package/dist/agent.cjs

@@ -44607,22 +44607,22 @@ var require_crypto2 = __commonJS({
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.NodeCrypto = void 0;
-    var crypto16 = require("crypto");
+    var crypto17 = require("crypto");
     var NodeCrypto = class {
       async sha256DigestBase64(str) {
-        return crypto16.createHash("sha256").update(str).digest("base64");
+        return crypto17.createHash("sha256").update(str).digest("base64");
       }
       randomBytesBase64(count) {
-        return crypto16.randomBytes(count).toString("base64");
+        return crypto17.randomBytes(count).toString("base64");
       }
       async verify(pubkey, data, signature) {
-        const verifier = crypto16.createVerify("RSA-SHA256");
+        const verifier = crypto17.createVerify("RSA-SHA256");
         verifier.update(data);
         verifier.end();
         return verifier.verify(pubkey, signature, "base64");
       }
       async sign(privateKey, data) {
-        const signer = crypto16.createSign("RSA-SHA256");
+        const signer = crypto17.createSign("RSA-SHA256");
         signer.update(data);
         signer.end();
         return signer.sign(privateKey, "base64");
@@ -44640,7 +44640,7 @@ var require_crypto2 = __commonJS({
        *   string in hexadecimal encoding.
        */
       async sha256DigestHex(str) {
-        return crypto16.createHash("sha256").update(str).digest("hex");
+        return crypto17.createHash("sha256").update(str).digest("hex");
       }
       /**
        * Computes the HMAC hash of a message using the provided crypto key and the
@@ -44652,7 +44652,7 @@ var require_crypto2 = __commonJS({
        */
       async signWithHmacSha256(key, msg) {
         const cryptoKey = typeof key === "string" ? key : toBuffer(key);
-        return toArrayBuffer(crypto16.createHmac("sha256", cryptoKey).update(msg).digest());
+        return toArrayBuffer(crypto17.createHmac("sha256", cryptoKey).update(msg).digest());
       }
     };
     exports2.NodeCrypto = NodeCrypto;
@@ -45430,10 +45430,10 @@ var require_oauth2client = __commonJS({
        * https://github.com/googleapis/google-auth-library-nodejs/blob/main/samples/oauth2-codeVerifier.js
        */
       async generateCodeVerifierAsync() {
-        const crypto16 = (0, crypto_1.createCrypto)();
-        const randomString = crypto16.randomBytesBase64(96);
+        const crypto17 = (0, crypto_1.createCrypto)();
+        const randomString = crypto17.randomBytesBase64(96);
         const codeVerifier = randomString.replace(/\+/g, "~").replace(/=/g, "_").replace(/\//g, "-");
-        const unencodedCodeChallenge = await crypto16.sha256DigestBase64(codeVerifier);
+        const unencodedCodeChallenge = await crypto17.sha256DigestBase64(codeVerifier);
         const codeChallenge = unencodedCodeChallenge.split("=")[0].replace(/\+/g, "-").replace(/\//g, "_");
         return { codeVerifier, codeChallenge };
       }
@@ -45877,7 +45877,7 @@ var require_oauth2client = __commonJS({
        * @return Returns a promise resolving to LoginTicket on verification.
        */
       async verifySignedJwtWithCertsAsync(jwt2, certs, requiredAudience, issuers, maxExpiry) {
-        const crypto16 = (0, crypto_1.createCrypto)();
+        const crypto17 = (0, crypto_1.createCrypto)();
         if (!maxExpiry) {
           maxExpiry = _OAuth2Client.DEFAULT_MAX_TOKEN_LIFETIME_SECS_;
         }
@@ -45890,7 +45890,7 @@ var require_oauth2client = __commonJS({
         let envelope;
         let payload;
         try {
-          envelope = JSON.parse(crypto16.decodeBase64StringUtf8(segments[0]));
+          envelope = JSON.parse(crypto17.decodeBase64StringUtf8(segments[0]));
         } catch (err) {
           if (err instanceof Error) {
             err.message = `Can't parse token envelope: ${segments[0]}': ${err.message}`;
@@ -45901,7 +45901,7 @@ var require_oauth2client = __commonJS({
           throw new Error("Can't parse token envelope: " + segments[0]);
         }
         try {
-          payload = JSON.parse(crypto16.decodeBase64StringUtf8(segments[1]));
+          payload = JSON.parse(crypto17.decodeBase64StringUtf8(segments[1]));
         } catch (err) {
           if (err instanceof Error) {
             err.message = `Can't parse token payload '${segments[0]}`;
@@ -45918,7 +45918,7 @@ var require_oauth2client = __commonJS({
         if (envelope.alg === "ES256") {
           signature = formatEcdsa.joseToDer(signature, "ES256").toString("base64");
         }
-        const verified = await crypto16.verify(cert, signed, signature);
+        const verified = await crypto17.verify(cert, signed, signature);
         if (!verified) {
           throw new Error("Invalid token signature: " + jwt2);
         }
@@ -46286,14 +46286,14 @@ var require_buffer_equal_constant_time = __commonJS({
 var require_jwa = __commonJS({
   "../../node_modules/jwa/index.js"(exports2, module2) {
     var Buffer3 = require_safe_buffer().Buffer;
-    var crypto16 = require("crypto");
+    var crypto17 = require("crypto");
     var formatEcdsa = require_ecdsa_sig_formatter();
     var util2 = require("util");
     var MSG_INVALID_ALGORITHM = '"%s" is not a valid algorithm.\n  Supported algorithms are:\n  "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES384", "ES512" and "none".';
     var MSG_INVALID_SECRET = "secret must be a string or buffer";
     var MSG_INVALID_VERIFIER_KEY = "key must be a string or a buffer";
     var MSG_INVALID_SIGNER_KEY = "key must be a string, a buffer or an object";
-    var supportsKeyObjects = typeof crypto16.createPublicKey === "function";
+    var supportsKeyObjects = typeof crypto17.createPublicKey === "function";
     if (supportsKeyObjects) {
       MSG_INVALID_VERIFIER_KEY += " or a KeyObject";
       MSG_INVALID_SECRET += "or a KeyObject";
@@ -46383,17 +46383,17 @@ var require_jwa = __commonJS({
       return function sign2(thing, secret) {
         checkIsSecretKey(secret);
         thing = normalizeInput(thing);
-        var hmac = crypto16.createHmac("sha" + bits, secret);
+        var hmac = crypto17.createHmac("sha" + bits, secret);
         var sig = (hmac.update(thing), hmac.digest("base64"));
         return fromBase64(sig);
       };
     }
     var bufferEqual;
-    var timingSafeEqual2 = "timingSafeEqual" in crypto16 ? function timingSafeEqual3(a, b) {
+    var timingSafeEqual2 = "timingSafeEqual" in crypto17 ? function timingSafeEqual3(a, b) {
       if (a.byteLength !== b.byteLength) {
         return false;
       }
-      return crypto16.timingSafeEqual(a, b);
+      return crypto17.timingSafeEqual(a, b);
     } : function timingSafeEqual3(a, b) {
       if (!bufferEqual) {
         bufferEqual = require_buffer_equal_constant_time();
@@ -46410,7 +46410,7 @@ var require_jwa = __commonJS({
       return function sign2(thing, privateKey) {
         checkIsPrivateKey(privateKey);
         thing = normalizeInput(thing);
-        var signer = crypto16.createSign("RSA-SHA" + bits);
+        var signer = crypto17.createSign("RSA-SHA" + bits);
         var sig = (signer.update(thing), signer.sign(privateKey, "base64"));
         return fromBase64(sig);
       };
@@ -46420,7 +46420,7 @@ var require_jwa = __commonJS({
         checkIsPublicKey(publicKey);
         thing = normalizeInput(thing);
         signature = toBase64(signature);
-        var verifier = crypto16.createVerify("RSA-SHA" + bits);
+        var verifier = crypto17.createVerify("RSA-SHA" + bits);
         verifier.update(thing);
         return verifier.verify(publicKey, signature, "base64");
       };
@@ -46429,11 +46429,11 @@ var require_jwa = __commonJS({
       return function sign2(thing, privateKey) {
         checkIsPrivateKey(privateKey);
         thing = normalizeInput(thing);
-        var signer = crypto16.createSign("RSA-SHA" + bits);
+        var signer = crypto17.createSign("RSA-SHA" + bits);
         var sig = (signer.update(thing), signer.sign({
           key: privateKey,
-          padding: crypto16.constants.RSA_PKCS1_PSS_PADDING,
-          saltLength: crypto16.constants.RSA_PSS_SALTLEN_DIGEST
+          padding: crypto17.constants.RSA_PKCS1_PSS_PADDING,
+          saltLength: crypto17.constants.RSA_PSS_SALTLEN_DIGEST
         }, "base64"));
         return fromBase64(sig);
       };
@@ -46443,12 +46443,12 @@ var require_jwa = __commonJS({
         checkIsPublicKey(publicKey);
         thing = normalizeInput(thing);
         signature = toBase64(signature);
-        var verifier = crypto16.createVerify("RSA-SHA" + bits);
+        var verifier = crypto17.createVerify("RSA-SHA" + bits);
         verifier.update(thing);
         return verifier.verify({
           key: publicKey,
-          padding: crypto16.constants.RSA_PKCS1_PSS_PADDING,
-          saltLength: crypto16.constants.RSA_PSS_SALTLEN_DIGEST
+          padding: crypto17.constants.RSA_PKCS1_PSS_PADDING,
+          saltLength: crypto17.constants.RSA_PSS_SALTLEN_DIGEST
         }, signature, "base64");
       };
     }
@@ -48606,14 +48606,14 @@ var require_awsrequestsigner = __commonJS({
       }
     };
     exports2.AwsRequestSigner = AwsRequestSigner;
-    async function sign2(crypto16, key, msg) {
-      return await crypto16.signWithHmacSha256(key, msg);
-    }
-    async function getSigningKey(crypto16, key, dateStamp, region, serviceName) {
-      const kDate = await sign2(crypto16, `AWS4${key}`, dateStamp);
-      const kRegion = await sign2(crypto16, kDate, region);
-      const kService = await sign2(crypto16, kRegion, serviceName);
-      const kSigning = await sign2(crypto16, kService, "aws4_request");
+    async function sign2(crypto17, key, msg) {
+      return await crypto17.signWithHmacSha256(key, msg);
+    }
+    async function getSigningKey(crypto17, key, dateStamp, region, serviceName) {
+      const kDate = await sign2(crypto17, `AWS4${key}`, dateStamp);
+      const kRegion = await sign2(crypto17, kDate, region);
+      const kService = await sign2(crypto17, kRegion, serviceName);
+      const kSigning = await sign2(crypto17, kService, "aws4_request");
       return kSigning;
     }
     async function generateAuthenticationHeaderMap(options) {
@@ -50198,24 +50198,24 @@ var require_googleauth = __commonJS({
           const signed = await client.sign(data);
           return signed.signedBlob;
         }
-        const crypto16 = (0, crypto_1.createCrypto)();
+        const crypto17 = (0, crypto_1.createCrypto)();
         if (client instanceof jwtclient_1.JWT && client.key) {
-          const sign2 = await crypto16.sign(client.key, data);
+          const sign2 = await crypto17.sign(client.key, data);
           return sign2;
         }
         const creds = await this.getCredentials();
         if (!creds.client_email) {
           throw new Error("Cannot sign data without `client_email`.");
         }
-        return this.signBlob(crypto16, creds.client_email, data, endpoint);
+        return this.signBlob(crypto17, creds.client_email, data, endpoint);
       }
-      async signBlob(crypto16, emailOrUniqueId, data, endpoint) {
+      async signBlob(crypto17, emailOrUniqueId, data, endpoint) {
         const url = new URL(endpoint + `${emailOrUniqueId}:signBlob`);
         const res = await this.request({
           method: "POST",
           url: url.href,
           data: {
-            payload: crypto16.encodeBase64StringUtf8(data)
+            payload: crypto17.encodeBase64StringUtf8(data)
           },
           retry: true,
           retryConfig: {
@@ -50632,7 +50632,7 @@ var require_src10 = __commonJS({
 var require_object_hash = __commonJS({
   "../../node_modules/object-hash/index.js"(exports2, module2) {
     "use strict";
-    var crypto16 = require("crypto");
+    var crypto17 = require("crypto");
     exports2 = module2.exports = objectHash;
     function objectHash(object, options) {
       options = applyDefaults(object, options);
@@ -50650,7 +50650,7 @@ var require_object_hash = __commonJS({
     exports2.keysMD5 = function(object) {
       return objectHash(object, { algorithm: "md5", encoding: "hex", excludeValues: true });
     };
-    var hashes = crypto16.getHashes ? crypto16.getHashes().slice() : ["sha1", "md5"];
+    var hashes = crypto17.getHashes ? crypto17.getHashes().slice() : ["sha1", "md5"];
     hashes.push("passthrough");
     var encodings = ["buffer", "hex", "binary", "base64"];
     function applyDefaults(object, sourceOptions) {
@@ -50696,7 +50696,7 @@ var require_object_hash = __commonJS({
     function hash(object, options) {
       var hashingStream;
       if (options.algorithm !== "passthrough") {
-        hashingStream = crypto16.createHash(options.algorithm);
+        hashingStream = crypto17.createHash(options.algorithm);
       } else {
         hashingStream = new PassThrough();
       }
@@ -150124,14 +150124,14 @@ var require_etag = __commonJS({
   "../../node_modules/etag/index.js"(exports2, module2) {
     "use strict";
     module2.exports = etag;
-    var crypto16 = require("crypto");
+    var crypto17 = require("crypto");
     var Stats = require("fs").Stats;
     var toString = Object.prototype.toString;
     function entitytag(entity) {
       if (entity.length === 0) {
         return '"0-2jmj7l5rSw0yVb/vlWAYkK/YBwk"';
       }
-      var hash = crypto16.createHash("sha1").update(entity, "utf8").digest("base64").substring(0, 27);
+      var hash = crypto17.createHash("sha1").update(entity, "utf8").digest("base64").substring(0, 27);
       var len = typeof entity === "string" ? Buffer.byteLength(entity, "utf8") : entity.length;
       return '"' + len.toString(16) + "-" + hash + '"';
     }
@@ -172482,17 +172482,17 @@ var require_content_disposition = __commonJS({
 // ../../node_modules/cookie-signature/index.js
 var require_cookie_signature = __commonJS({
   "../../node_modules/cookie-signature/index.js"(exports2) {
-    var crypto16 = require("crypto");
+    var crypto17 = require("crypto");
     exports2.sign = function(val, secret) {
       if ("string" != typeof val) throw new TypeError("Cookie value must be provided as a string.");
       if (null == secret) throw new TypeError("Secret key must be provided.");
-      return val + "." + crypto16.createHmac("sha256", secret).update(val).digest("base64").replace(/\=+$/, "");
+      return val + "." + crypto17.createHmac("sha256", secret).update(val).digest("base64").replace(/\=+$/, "");
     };
     exports2.unsign = function(input, secret) {
       if ("string" != typeof input) throw new TypeError("Signed cookie string must be provided.");
       if (null == secret) throw new TypeError("Secret key must be provided.");
       var tentativeValue = input.slice(0, input.lastIndexOf(".")), expectedInput = exports2.sign(tentativeValue, secret), expectedBuffer = Buffer.from(expectedInput), inputBuffer = Buffer.from(input);
-      return expectedBuffer.length === inputBuffer.length && crypto16.timingSafeEqual(expectedBuffer, inputBuffer) ? tentativeValue : false;
+      return expectedBuffer.length === inputBuffer.length && crypto17.timingSafeEqual(expectedBuffer, inputBuffer) ? tentativeValue : false;
     };
   }
 });
@@ -183402,9 +183402,9 @@ function resolveConfig(env = process.env) {
   }
   const cacheTtlStr = env.CLEF_AGENT_CACHE_TTL ?? "300";
   const cacheTtl = parseInt(cacheTtlStr, 10);
-  if (isNaN(cacheTtl) || cacheTtl < 30) {
+  if (isNaN(cacheTtl) || cacheTtl < 0 || cacheTtl > 0 && cacheTtl < 30) {
     throw new ConfigError(
-      `Invalid CLEF_AGENT_CACHE_TTL '${cacheTtlStr}'. Must be an integer >= 30.`
+      `Invalid CLEF_AGENT_CACHE_TTL '${cacheTtlStr}'. Must be 0 (just-in-time mode) or an integer >= 30.`
     );
   }
   const ageKey = env.CLEF_AGENT_AGE_KEY;
@@ -183434,6 +183434,11 @@ var SecretsCache = class {
   snapshot = null;
   /** Replace the cached secrets in a single reference assignment. */
   swap(values, keys, revision) {
+    if (this.snapshot) {
+      for (const k of Object.keys(this.snapshot.values)) {
+        this.snapshot.values[k] = "";
+      }
+    }
     this.snapshot = { values: { ...values }, keys: [...keys], revision, swappedAt: Date.now() };
   }
   /** Whether the cache has exceeded the given TTL (seconds). */
@@ -183441,8 +183446,13 @@ var SecretsCache = class {
     if (!this.snapshot) return false;
     return (Date.now() - this.snapshot.swappedAt) / 1e3 > ttlSeconds;
   }
-  /** Clear the cached snapshot. */
+  /** Clear the cached snapshot, zeroing values first (best-effort). */
   wipe() {
+    if (this.snapshot) {
+      for (const k of Object.keys(this.snapshot.values)) {
+        this.snapshot.values[k] = "";
+      }
+    }
     this.snapshot = null;
   }
   /** Epoch ms when the cache was last swapped, or null if never loaded. */
@@ -183507,20 +183517,16 @@ var DiskCache = class {
   }
   /** Get the SHA from the cached metadata, if available. */
   getCachedSha() {
-    try {
-      const raw = fs.readFileSync(this.metaPath, "utf-8");
-      const meta = JSON.parse(raw);
-      return meta.sha;
-    } catch {
-      return void 0;
-    }
+    return this.readMeta()?.sha;
   }
   /** Get the fetchedAt timestamp from metadata, if available. */
   getFetchedAt() {
+    return this.readMeta()?.fetchedAt;
+  }
+  readMeta() {
     try {
       const raw = fs.readFileSync(this.metaPath, "utf-8");
-      const meta = JSON.parse(raw);
-      return meta.fetchedAt;
+      return JSON.parse(raw);
     } catch {
       return void 0;
     }
@@ -183576,7 +183582,10 @@ var AgeDecryptor = class {
 };
 
 // ../runtime/src/poller.ts
-var crypto15 = __toESM(require("crypto"));
+var crypto16 = __toESM(require("crypto"));
+
+// ../runtime/src/artifact-decryptor.ts
+var crypto14 = __toESM(require("crypto"));
 
 // ../runtime/src/kms/aws.ts
 var AwsKmsProvider = class {
@@ -183741,11 +183750,106 @@ function createKmsProvider(provider, options) {
   }
 }
 
+// ../runtime/src/artifact-decryptor.ts
+var ArtifactDecryptor = class {
+  ageDecryptor = new AgeDecryptor();
+  privateKey;
+  telemetryOverride;
+  initialTelemetry;
+  constructor(options) {
+    this.privateKey = options.privateKey;
+    this.initialTelemetry = options.telemetry;
+  }
+  /** Set or replace the telemetry emitter. */
+  setTelemetry(emitter) {
+    this.telemetryOverride = emitter;
+  }
+  get telemetry() {
+    return this.telemetryOverride ?? this.initialTelemetry;
+  }
+  /**
+   * Decrypt an artifact envelope into plaintext key-value pairs.
+   *
+   * @throws On KMS unwrap failure, AES-GCM auth failure, age decrypt failure,
+   *         missing private key (config error), or malformed plaintext JSON.
+   */
+  async decrypt(artifact) {
+    let plaintext;
+    if (artifact.envelope) {
+      plaintext = await this.decryptKmsEnvelope(artifact);
+    } else {
+      plaintext = await this.decryptAge(artifact);
+    }
+    let values;
+    try {
+      values = JSON.parse(plaintext);
+    } catch (err) {
+      this.telemetry?.artifactInvalid({
+        reason: "payload_parse",
+        error: err instanceof Error ? err.message : String(err)
+      });
+      throw err;
+    } finally {
+      plaintext = "";
+    }
+    return { values, keys: artifact.keys, revision: artifact.revision };
+  }
+  /** KMS envelope: unwrap DEK via KMS, then AES-256-GCM decrypt. */
+  async decryptKmsEnvelope(artifact) {
+    const envelope = artifact.envelope;
+    let dek;
+    try {
+      const kms = createKmsProvider(envelope.provider);
+      const wrappedKey = Buffer.from(envelope.wrappedKey, "base64");
+      dek = await kms.unwrap(envelope.keyId, wrappedKey, envelope.algorithm);
+    } catch (err) {
+      this.telemetry?.artifactInvalid({
+        reason: "kms_unwrap",
+        error: err instanceof Error ? err.message : String(err)
+      });
+      throw err;
+    }
+    try {
+      const iv = Buffer.from(envelope.iv, "base64");
+      const authTag = Buffer.from(envelope.authTag, "base64");
+      const ciphertextBuf = Buffer.from(artifact.ciphertext, "base64");
+      const decipher = crypto14.createDecipheriv("aes-256-gcm", dek, iv);
+      decipher.setAuthTag(authTag);
+      return Buffer.concat([decipher.update(ciphertextBuf), decipher.final()]).toString("utf-8");
+    } catch (err) {
+      this.telemetry?.artifactInvalid({
+        reason: "decrypt",
+        error: err instanceof Error ? err.message : String(err)
+      });
+      throw err;
+    } finally {
+      dek.fill(0);
+    }
+  }
+  /** Age-only: decrypt with the static private key. */
+  async decryptAge(artifact) {
+    if (!this.privateKey) {
+      throw new Error(
+        "Artifact requires an age private key. Set CLEF_AGENT_AGE_KEY or use KMS envelope encryption."
+      );
+    }
+    try {
+      return await this.ageDecryptor.decrypt(artifact.ciphertext, this.privateKey);
+    } catch (err) {
+      this.telemetry?.artifactInvalid({
+        reason: err instanceof SyntaxError ? "payload_parse" : "decrypt",
+        error: err instanceof Error ? err.message : String(err)
+      });
+      throw err;
+    }
+  }
+};
+
 // ../runtime/src/signature.ts
-var crypto14 = __toESM(require("crypto"));
+var crypto15 = __toESM(require("crypto"));
 function buildSigningPayload(artifact) {
   const fields = [
-    "clef-sig-v1",
+    "clef-sig-v2",
     String(artifact.version),
     artifact.identity,
     artifact.environment,
@@ -183757,12 +183861,14 @@ function buildSigningPayload(artifact) {
     artifact.envelope?.provider ?? "",
     artifact.envelope?.keyId ?? "",
     artifact.envelope?.wrappedKey ?? "",
-    artifact.envelope?.algorithm ?? ""
+    artifact.envelope?.algorithm ?? "",
+    artifact.envelope?.iv ?? "",
+    artifact.envelope?.authTag ?? ""
   ];
   return Buffer.from(fields.join("\n"), "utf-8");
 }
 function verifySignature(payload, signatureBase64, publicKeyBase64) {
-  const keyObj = crypto14.createPublicKey({
+  const keyObj = crypto15.createPublicKey({
     key: Buffer.from(publicKeyBase64, "base64"),
     format: "der",
     type: "spki"
@@ -183770,10 +183876,10 @@ function verifySignature(payload, signatureBase64, publicKeyBase64) {
   const signature = Buffer.from(signatureBase64, "base64");
   const keyType = keyObj.asymmetricKeyType;
   if (keyType === "ed25519") {
-    return crypto14.verify(null, payload, keyObj, signature);
+    return crypto15.verify(null, payload, keyObj, signature);
   }
   if (keyType === "ec") {
-    return crypto14.verify("sha256", payload, keyObj, signature);
+    return crypto15.verify("sha256", payload, keyObj, signature);
   }
   throw new Error(`Unsupported key type for signature verification: ${keyType}`);
 }
@@ -183785,28 +183891,73 @@ var ArtifactPoller = class {
   lastContentHash = null;
   lastRevision = null;
   lastExpiresAt = null;
-  decryptor = new AgeDecryptor();
+  decryptor;
   options;
+  jitMode;
   telemetryOverride;
   constructor(options) {
     this.options = options;
+    this.jitMode = !!options.encryptedStore;
+    this.decryptor = new ArtifactDecryptor({
+      privateKey: options.privateKey,
+      telemetry: options.telemetry
+    });
+  }
+  /** Get the decryptor instance (for JIT mode server wiring). */
+  getDecryptor() {
+    return this.decryptor;
   }
   /** Set or replace the telemetry emitter (e.g. after resolving token from secrets). */
   setTelemetry(emitter) {
     this.telemetryOverride = emitter;
+    this.decryptor.setTelemetry(emitter);
   }
   get telemetry() {
     return this.telemetryOverride ?? this.options.telemetry;
   }
-  /** Fetch, validate, decrypt, and cache the artifact. */
+  /**
+   * Fetch, validate, decrypt, and cache the artifact.
+   * Used in cached mode (cacheTtl > 0).
+   */
   async fetchAndDecrypt() {
+    const result = await this.fetchRaw();
+    if (!result) return;
+    await this.validateDecryptAndCache(result.artifact, result.contentHash);
+  }
+  /**
+   * Fetch and validate the artifact without decrypting.
+   * Stores the validated envelope in the encryptedStore for on-demand decryption.
+   * Used in JIT mode (cacheTtl = 0).
+   */
+  async fetchAndValidate() {
+    const result = await this.fetchRaw();
+    if (!result) return;
+    const artifact = this.validateArtifact(result.artifact);
+    this.options.encryptedStore.swap(artifact);
+    this.lastRevision = artifact.revision;
+    this.lastContentHash = result.contentHash ?? null;
+    this.lastExpiresAt = artifact.expiresAt ?? null;
+    this.options.onRefresh?.(artifact.revision);
+    this.telemetry?.artifactRefreshed({
+      revision: artifact.revision,
+      keyCount: artifact.keys.length,
+      kmsEnvelope: !!artifact.envelope
+    });
+  }
+  /**
+   * Fetch the raw artifact from the source (with disk cache fallback),
+   * parse JSON, and check for revocation.
+   *
+   * Returns null when the content hash is unchanged (short-circuit).
+   */
+  async fetchRaw() {
     let raw;
     let contentHash;
     try {
       const result = await this.options.source.fetch();
       raw = result.raw;
       contentHash = result.contentHash;
-      if (contentHash && contentHash === this.lastContentHash) return;
+      if (contentHash && contentHash === this.lastContentHash) return null;
       this.options.diskCache?.write(raw, contentHash);
     } catch (err) {
       this.telemetry?.fetchFailed({
@@ -183817,7 +183968,7 @@ var ArtifactPoller = class {
       if (this.options.diskCache) {
         const cached = this.options.diskCache.read();
         if (cached) {
-          if (ttl !== void 0) {
+          if (ttl !== void 0 && ttl > 0) {
             const fetchedAt = this.options.diskCache.getFetchedAt();
             if (fetchedAt && (Date.now() - new Date(fetchedAt).getTime()) / 1e3 > ttl) {
               this.options.cache.wipe();
@@ -183831,9 +183982,9 @@ var ArtifactPoller = class {
           }
           raw = cached;
           contentHash = this.options.diskCache.getCachedSha();
-          if (contentHash && contentHash === this.lastContentHash) return;
+          if (contentHash && contentHash === this.lastContentHash) return null;
         } else {
-          if (ttl !== void 0 && this.options.cache.isExpired(ttl)) {
+          if (ttl !== void 0 && ttl > 0 && this.options.cache.isExpired(ttl)) {
             this.options.cache.wipe();
             this.telemetry?.cacheExpired({
               cacheTtlSeconds: ttl,
@@ -183844,7 +183995,7 @@ var ArtifactPoller = class {
           throw err;
         }
       } else {
-        if (ttl !== void 0 && this.options.cache.isExpired(ttl)) {
+        if (ttl !== void 0 && ttl > 0 && this.options.cache.isExpired(ttl)) {
           this.options.cache.wipe();
           this.telemetry?.cacheExpired({
             cacheTtlSeconds: ttl,
@@ -183858,6 +184009,7 @@ var ArtifactPoller = class {
     const parsed = JSON.parse(raw);
     if (parsed.revokedAt) {
       this.options.cache.wipe();
+      this.options.encryptedStore?.wipe();
       this.options.diskCache?.purge();
       this.lastRevision = null;
       this.lastContentHash = null;
@@ -183868,17 +184020,18 @@ var ArtifactPoller = class {
         `Artifact revoked: ${parsed.identity}/${parsed.environment} at ${parsed.revokedAt}`
       );
     }
-    await this.validateDecryptAndCache(raw, contentHash);
+    return { artifact: parsed, contentHash };
   }
   /**
-   * Validate the artifact, decrypt it, and swap the cache.
-   * Emits `artifact.invalid` on any validation or decryption failure,
-   * and `artifact.expired` / `artifact.refreshed` on their respective paths.
+   * Validate the artifact envelope: version, required fields, expiry,
+   * revision dedup, integrity hash, and signature.
+   * Emits `artifact.invalid` / `artifact.expired` telemetry on failure.
+   * Returns the validated artifact, or throws.
    */
-  async validateDecryptAndCache(raw, contentHash) {
+  validateArtifact(parsed) {
     let artifact;
     try {
-      artifact = this.parseAndValidate(raw);
+      artifact = this.validateEnvelope(parsed);
     } catch (err) {
       this.telemetry?.artifactInvalid({
         reason: classifyValidationError(err),
@@ -183888,12 +184041,13 @@ var ArtifactPoller = class {
     }
     if (artifact.expiresAt && Date.now() > new Date(artifact.expiresAt).getTime()) {
       this.options.cache.wipe();
+      this.options.encryptedStore?.wipe();
       this.options.diskCache?.purge();
       this.telemetry?.artifactExpired({ expiresAt: artifact.expiresAt });
       throw new Error(`Artifact expired at ${artifact.expiresAt}`);
     }
-    if (artifact.revision === this.lastRevision) return;
-    const hash = crypto15.createHash("sha256").update(artifact.ciphertext).digest("hex");
+    if (artifact.revision === this.lastRevision) return artifact;
+    const hash = crypto16.createHash("sha256").update(artifact.ciphertext).digest("hex");
     if (hash !== artifact.ciphertextHash) {
       const err = new Error(
         `Artifact integrity check failed: expected hash ${artifact.ciphertextHash}, got ${hash}`
@@ -183940,59 +184094,33 @@ var ArtifactPoller = class {
         throw err;
       }
     }
-    let agePrivateKey;
-    if (artifact.envelope) {
-      try {
-        const kms = createKmsProvider(artifact.envelope.provider);
-        const wrappedKey = Buffer.from(artifact.envelope.wrappedKey, "base64");
-        const unwrapped = await kms.unwrap(
-          artifact.envelope.keyId,
-          wrappedKey,
-          artifact.envelope.algorithm
-        );
-        agePrivateKey = unwrapped.toString("utf-8");
-        unwrapped.fill(0);
-      } catch (err) {
-        this.telemetry?.artifactInvalid({
-          reason: "kms_unwrap",
-          error: err instanceof Error ? err.message : String(err)
-        });
-        throw err;
-      }
-    } else {
-      if (!this.options.privateKey) {
-        throw new Error(
-          "Artifact requires an age private key. Set CLEF_AGENT_AGE_KEY or use KMS envelope encryption."
-        );
-      }
-      agePrivateKey = this.options.privateKey;
-    }
-    try {
-      const plaintext = await this.decryptor.decrypt(artifact.ciphertext, agePrivateKey);
-      const values = JSON.parse(plaintext);
-      this.options.cache.swap(values, artifact.keys, artifact.revision);
-      this.lastRevision = artifact.revision;
-      this.lastContentHash = contentHash ?? null;
-      this.lastExpiresAt = artifact.expiresAt ?? null;
-      this.options.onRefresh?.(artifact.revision);
-      this.telemetry?.artifactRefreshed({
-        revision: artifact.revision,
-        keyCount: artifact.keys.length,
-        kmsEnvelope: !!artifact.envelope
-      });
-    } catch (err) {
-      if (err instanceof Error && !err.message.includes("integrity check failed")) {
-        this.telemetry?.artifactInvalid({
-          reason: err instanceof SyntaxError ? "payload_parse" : "decrypt",
-          error: err.message
-        });
-      }
-      throw err;
-    }
+    return artifact;
+  }
+  /**
+   * Validate then decrypt and cache. Used by fetchAndDecrypt (cached mode).
+   */
+  async validateDecryptAndCache(parsed, contentHash) {
+    const artifact = this.validateArtifact(parsed);
+    if (artifact.revision === this.lastRevision) return;
+    const { values } = await this.decryptor.decrypt(artifact);
+    this.options.cache.swap(values, artifact.keys, artifact.revision);
+    this.lastRevision = artifact.revision;
+    this.lastContentHash = contentHash ?? null;
+    this.lastExpiresAt = artifact.expiresAt ?? null;
+    this.options.onRefresh?.(artifact.revision);
+    this.telemetry?.artifactRefreshed({
+      revision: artifact.revision,
+      keyCount: artifact.keys.length,
+      kmsEnvelope: !!artifact.envelope
+    });
   }
   /** Start the polling loop. Performs an initial fetch immediately. */
   async start() {
-    await this.fetchAndDecrypt();
+    if (this.jitMode) {
+      await this.fetchAndValidate();
+    } else {
+      await this.fetchAndDecrypt();
+    }
     this.scheduleNext();
   }
   /** Start only the polling schedule (no initial fetch). */
@@ -184017,7 +184145,11 @@ var ArtifactPoller = class {
     this.timer = setTimeout(async () => {
       this.timer = null;
       try {
-        await this.fetchAndDecrypt();
+        if (this.jitMode) {
+          await this.fetchAndValidate();
+        } else {
+          await this.fetchAndDecrypt();
+        }
       } catch (err) {
         this.options.onError?.(err instanceof Error ? err : new Error(String(err)));
       }
@@ -184033,14 +184165,14 @@ var ArtifactPoller = class {
       }
       return MIN_POLL_MS;
     }
+    if (this.jitMode) return MIN_POLL_MS;
     const ttl = this.options.cacheTtl;
     if (ttl !== void 0) {
       return Math.max(ttl / 10 * 1e3, MIN_POLL_MS);
     }
     return 3e4;
   }
-  parseAndValidate(raw) {
-    const artifact = JSON.parse(raw);
+  validateEnvelope(artifact) {
     if (artifact.version !== 1) {
       throw new Error(`Unsupported artifact version: ${artifact.version}`);
     }
@@ -184048,7 +184180,7 @@ var ArtifactPoller = class {
       throw new Error("Invalid artifact: missing required fields.");
     }
     if (artifact.envelope) {
-      if (!artifact.envelope.provider || !artifact.envelope.keyId || !artifact.envelope.wrappedKey || !artifact.envelope.algorithm) {
+      if (!artifact.envelope.provider || !artifact.envelope.keyId || !artifact.envelope.wrappedKey || !artifact.envelope.algorithm || !artifact.envelope.iv || !artifact.envelope.authTag) {
         throw new Error("Invalid artifact: incomplete envelope fields.");
       }
     }
@@ -184065,6 +184197,42 @@ function classifyValidationError(err) {
   return "unknown";
 }
 
+// ../runtime/src/encrypted-artifact-store.ts
+var EncryptedArtifactStore = class {
+  artifact = null;
+  _storedAt = null;
+  /** Atomically replace the stored artifact. */
+  swap(artifact) {
+    this.artifact = artifact;
+    this._storedAt = Date.now();
+  }
+  /** Get the current encrypted artifact. Returns null if not yet loaded. */
+  get() {
+    return this.artifact;
+  }
+  /** Whether an artifact has been stored. */
+  isReady() {
+    return this.artifact !== null;
+  }
+  /** Epoch ms of last store, or null. */
+  getStoredAt() {
+    return this._storedAt;
+  }
+  /** Get key names from the stored artifact metadata (no decryption needed). */
+  getKeys() {
+    return this.artifact ? [...this.artifact.keys] : [];
+  }
+  /** Get the revision from the stored artifact. */
+  getRevision() {
+    return this.artifact?.revision ?? null;
+  }
+  /** Clear the stored artifact (on revocation/expiry). */
+  wipe() {
+    this.artifact = null;
+    this._storedAt = null;
+  }
+};
+
 // ../runtime/src/telemetry.ts
 var SEVERITY = {
   "agent.started": { number: 9, text: "INFO" },
@@ -184357,14 +184525,23 @@ var HttpArtifactSource = class {
   async fetch() {
     const res = await fetch(this.url);
     if (!res.ok) {
-      throw new Error(`Failed to fetch artifact from ${this.url}: ${res.status}`);
+      throw new Error(`Failed to fetch artifact from ${this.describe()}: ${res.status}`);
     }
     const raw = await res.text();
     const etag = res.headers.get("etag") ?? void 0;
     return { raw, contentHash: etag };
   }
   describe() {
-    return `HTTP ${this.url}`;
+    try {
+      const parsed = new URL(this.url);
+      if (parsed.username || parsed.password) {
+        parsed.username = "***";
+        parsed.password = "";
+      }
+      return `HTTP ${parsed.href}`;
+    } catch {
+      return "HTTP <invalid-url>";
+    }
   }
 };
 
@@ -184410,41 +184587,59 @@ var import_crypto16 = require("crypto");
 var import_express = __toESM(require_express2());
 
 // src/health.ts
-function healthHandler(cache, cacheTtl) {
+function healthHandler(cache, cacheTtl, encryptedStore) {
   return (_req, res) => {
-    const expired = cacheTtl !== void 0 && cache.isExpired(cacheTtl);
-    res.json({
-      status: "ok",
-      revision: cache.getRevision(),
-      lastRefreshAt: cache.getSwappedAt(),
-      expired
-    });
+    if (encryptedStore) {
+      res.json({
+        status: "ok",
+        mode: "jit",
+        revision: encryptedStore.getRevision(),
+        lastRefreshAt: encryptedStore.getStoredAt(),
+        expired: false
+      });
+    } else {
+      const expired = cacheTtl !== void 0 && cache.isExpired(cacheTtl);
+      res.json({
+        status: "ok",
+        mode: "cached",
+        revision: cache.getRevision(),
+        lastRefreshAt: cache.getSwappedAt(),
+        expired
+      });
+    }
   };
 }
-function readyHandler(cache, cacheTtl) {
+function readyHandler(cache, cacheTtl, encryptedStore) {
   return (_req, res) => {
-    if (!cache.isReady()) {
-      res.status(503).json({ ready: false, reason: "not_loaded" });
-      return;
-    }
-    if (cacheTtl !== void 0 && cache.isExpired(cacheTtl)) {
-      res.status(503).json({ ready: false, reason: "cache_expired" });
-      return;
+    if (encryptedStore) {
+      if (!encryptedStore.isReady()) {
+        res.status(503).json({ ready: false, reason: "not_loaded" });
+        return;
+      }
+      res.status(200).json({ ready: true });
+    } else {
+      if (!cache.isReady()) {
+        res.status(503).json({ ready: false, reason: "not_loaded" });
+        return;
+      }
+      if (cacheTtl !== void 0 && cache.isExpired(cacheTtl)) {
+        res.status(503).json({ ready: false, reason: "cache_expired" });
+        return;
+      }
+      res.status(200).json({ ready: true });
     }
-    res.status(200).json({ ready: true });
   };
 }
 
 // src/server.ts
 function startAgentServer(options) {
-  const { port, token, cache, cacheTtl } = options;
+  const { port, token, cache, cacheTtl, decryptor, encryptedStore } = options;
+  const jitMode = !!decryptor && !!encryptedStore;
   const app = (0, import_express.default)();
-  app.use(import_express.default.json());
+  const allowedHosts = /* @__PURE__ */ new Set([`127.0.0.1:${port}`, "127.0.0.1"]);
   app.use("/v1", (req, res, next) => {
     const host = req.headers.host ?? "";
-    const actualPort = req.socket.address()?.port ?? port;
-    const allowedHosts = [`127.0.0.1:${actualPort}`, `127.0.0.1:${port}`];
-    if (!allowedHosts.includes(host)) {
+    if (!allowedHosts.has(host)) {
       res.status(403).json({ error: "Forbidden: invalid Host header" });
       return;
     }
@@ -184454,12 +184649,17 @@ function startAgentServer(options) {
     res.setHeader("Cache-Control", "no-store");
     next();
   });
-  app.get("/v1/health", healthHandler(cache, cacheTtl));
-  app.get("/v1/ready", readyHandler(cache, cacheTtl));
+  app.get("/v1/health", healthHandler(cache, cacheTtl, encryptedStore));
+  app.get("/v1/ready", readyHandler(cache, cacheTtl, encryptedStore));
   app.use("/v1/secrets", authMiddleware(token));
   app.use("/v1/keys", authMiddleware(token));
   const ttlGuard = (_req, res, next) => {
-    if (cacheTtl !== void 0 && cache.isExpired(cacheTtl)) {
+    if (jitMode) {
+      if (!encryptedStore.isReady()) {
+        res.status(503).json({ error: "Secrets not yet loaded" });
+        return;
+      }
+    } else if (cacheTtl !== void 0 && cache.isExpired(cacheTtl)) {
       res.status(503).json({ error: "Secrets expired" });
       return;
     }
@@ -184467,24 +184667,35 @@ function startAgentServer(options) {
   };
   app.use("/v1/secrets", ttlGuard);
   app.use("/v1/keys", ttlGuard);
-  app.get("/v1/secrets", (_req, res) => {
-    const all = cache.getAll();
-    if (!all) {
-      res.status(503).json({ error: "Secrets not yet loaded" });
-      return;
-    }
-    res.json(all);
-  });
-  app.get("/v1/secrets/:key", (req, res) => {
-    const value = cache.get(req.params.key);
-    if (value === void 0) {
-      res.status(404).json({ error: `Secret '${req.params.key}' not found` });
-      return;
+  app.get("/v1/secrets", async (_req, res) => {
+    if (jitMode) {
+      const artifact = encryptedStore.get();
+      if (!artifact) {
+        res.status(503).json({ error: "Secrets not yet loaded" });
+        return;
+      }
+      try {
+        const { values } = await decryptor.decrypt(artifact);
+        res.json(values);
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        res.status(503).json({ error: "Decryption failed", detail: message });
+      }
+    } else {
+      const all = cache.getAll();
+      if (!all) {
+        res.status(503).json({ error: "Secrets not yet loaded" });
+        return;
+      }
+      res.json(all);
     }
-    res.json({ value });
   });
   app.get("/v1/keys", (_req, res) => {
-    res.json(cache.getKeys());
+    if (jitMode) {
+      res.json(encryptedStore.getKeys());
+    } else {
+      res.json(cache.getKeys());
+    }
   });
   const url = `http://127.0.0.1:${port}`;
   return new Promise((resolve, reject) => {
@@ -184510,11 +184721,11 @@ function startAgentServer(options) {
   });
 }
 function authMiddleware(token) {
+  const expectedBuf = Buffer.from(token);
   return (req, res, next) => {
     const authHeader = req.headers.authorization ?? "";
     const provided = authHeader.startsWith("Bearer ") ? authHeader.slice(7) : "";
     const providedBuf = Buffer.from(provided);
-    const expectedBuf = Buffer.from(token);
     if (!provided || providedBuf.length !== expectedBuf.length || !(0, import_crypto16.timingSafeEqual)(providedBuf, expectedBuf)) {
       res.status(401).json({ error: "Unauthorized" });
       return;
@@ -184530,6 +184741,8 @@ var Daemon = class {
   shutdownResolve;
   shutdownPromise;
   startedAt;
+  sigTermHandler;
+  sigIntHandler;
   constructor(options) {
     this.options = options;
     this.startedAt = Date.now();
@@ -184544,6 +184757,8 @@ var Daemon = class {
       if (this.shutdownRequested) return;
       this.shutdownRequested = true;
       onLog?.("Shutting down...");
+      if (this.sigTermHandler) process.off("SIGTERM", this.sigTermHandler);
+      if (this.sigIntHandler) process.off("SIGINT", this.sigIntHandler);
       poller.stop();
       telemetry?.agentStopped({
         reason: "signal",
@@ -184560,14 +184775,16 @@ var Daemon = class {
       onLog?.("Shutdown complete.");
       this.shutdownResolve?.();
     };
-    process.on("SIGTERM", () => {
+    this.sigTermHandler = () => {
       shutdown().catch(() => {
       });
-    });
-    process.on("SIGINT", () => {
+    };
+    this.sigIntHandler = () => {
       shutdown().catch(() => {
       });
-    });
+    };
+    process.on("SIGTERM", this.sigTermHandler);
+    process.on("SIGINT", this.sigIntHandler);
     onLog?.(`Agent server listening at ${server.url}`);
     poller.startPolling();
     onLog?.("Agent ready. Polling for updates.");
@@ -184579,11 +184796,12 @@ var Daemon = class {
 };
 
 // package.json
-var version5 = "0.1.8-beta.52";
+var version5 = "0.1.9-beta.57";
 
 // src/main.ts
 async function main() {
   const config = resolveConfig();
+  const jitMode = config.cacheTtl === 0;
   let privateKey;
   try {
     const decryptor = new AgeDecryptor();
@@ -184607,6 +184825,7 @@ async function main() {
   }
   const diskCache = config.cachePath && config.vcs ? new DiskCache(config.cachePath, config.vcs.identity, config.vcs.environment) : void 0;
   const cache = new SecretsCache();
+  const encryptedStore = jitMode ? new EncryptedArtifactStore() : void 0;
   const poller = new ArtifactPoller({
     source,
     privateKey,
@@ -184614,9 +184833,17 @@ async function main() {
     diskCache,
     cacheTtl: config.cacheTtl,
     verifyKey: config.verifyKey,
+    encryptedStore,
     onError: (err) => console.error(`[clef-agent] poll error: ${err.message}`)
   });
-  await poller.fetchAndDecrypt();
+  if (jitMode) {
+    await poller.fetchAndValidate();
+    const artifact = encryptedStore.get();
+    const { values } = await poller.getDecryptor().decrypt(artifact);
+    cache.swap(values, artifact.keys, artifact.revision);
+  } else {
+    await poller.fetchAndDecrypt();
+  }
   let telemetry;
   if (config.telemetry) {
     const headers = {};
@@ -184642,11 +184869,15 @@ async function main() {
     });
     poller.setTelemetry(telemetry);
   }
+  if (jitMode) {
+    cache.wipe();
+  }
   const server = await startAgentServer({
     port: config.port,
     token: config.token,
     cache,
-    cacheTtl: config.cacheTtl
+    cacheTtl: config.cacheTtl,
+    ...jitMode ? { decryptor: poller.getDecryptor(), encryptedStore } : {}
   });
   const daemon = new Daemon({
     poller,
@@ -184655,7 +184886,8 @@ async function main() {
     onLog: (msg) => console.log(`[clef-agent] ${msg}`)
   });
   telemetry?.agentStarted({ version: version5 });
-  console.log(`[clef-agent] token: [${config.token.length} chars]`);
+  console.log(`[clef-agent] mode: ${jitMode ? "jit" : "cached"}`);
+  console.log(`[clef-agent] token: [set]`);
   await daemon.start();
 }
 main().catch((err) => {