npm - @clef-sh/cli - Versions diffs - 0.1.11-beta.62 → 0.1.11-beta.66 - Mend

@clef-sh/cli 0.1.11-beta.62 → 0.1.11-beta.66

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/client/assets/index-BEZELuvA.js +26 -0
package/dist/client/index.html +1 -1
package/dist/index.cjs +338 -399
package/dist/index.cjs.map +4 -4
package/dist/index.mjs +338 -399
package/dist/index.mjs.map +4 -4
package/package.json +1 -1
package/dist/client/assets/index-DDB5KCov.js +0 -26

package/dist/index.mjs CHANGED Viewed

@@ -10238,7 +10238,7 @@ var require_public_api = __commonJS({
       }
       return doc;
     }
-    function parse16(src, reviver, options) {
+    function parse15(src, reviver, options) {
       let _reviver = void 0;
       if (typeof reviver === "function") {
         _reviver = reviver;
@@ -10279,7 +10279,7 @@ var require_public_api = __commonJS({
         return value.toString(options);
       return new Document.Document(value, _replacer, options).toString(options);
     }
-    exports.parse = parse16;
+    exports.parse = parse15;
     exports.parseAllDocuments = parseAllDocuments;
     exports.parseDocument = parseDocument;
     exports.stringify = stringify8;
@@ -10811,8 +10811,26 @@ var init_parser = __esm({
             "sops.default_backend"
           );
         }
+        const ageObj = sopsObj.age;
+        const ageRecipients = ageObj && Array.isArray(ageObj.recipients) ? ageObj.recipients : void 0;
+        const parsedAge = ageRecipients ? {
+          age: {
+            recipients: ageRecipients.map((r) => {
+              if (typeof r === "string") return r;
+              if (typeof r === "object" && r !== null) {
+                const obj2 = r;
+                return {
+                  key: String(obj2.key ?? ""),
+                  ...typeof obj2.label === "string" ? { label: obj2.label } : {}
+                };
+              }
+              return String(r);
+            })
+          }
+        } : {};
         const sopsConfig = {
           default_backend: sopsObj.default_backend,
+          ...parsedAge,
           ...typeof sopsObj.aws_kms_arn === "string" ? { aws_kms_arn: sopsObj.aws_kms_arn } : {},
           ...typeof sopsObj.gcp_kms_resource_id === "string" ? { gcp_kms_resource_id: sopsObj.gcp_kms_resource_id } : {},
           ...typeof sopsObj.azure_kv_url === "string" ? { azure_kv_url: sopsObj.azure_kv_url } : {},
@@ -11204,8 +11222,8 @@ var init_scanner = __esm({
     ALWAYS_SKIP_EXTENSIONS = [".enc.yaml", ".enc.json"];
     ALWAYS_SKIP_NAMES = [
       ".clef-meta.yaml",
-      ".sops.yaml"
-      // contains age public keys and KMS ARNs — configuration, not secrets
+      "clef.yaml"
+      // manifest — contains public keys and config, not secrets
     ];
     ALWAYS_SKIP_DIRS = ["node_modules", ".git"];
     MAX_FILE_SIZE = 1024 * 1024;
@@ -19883,9 +19901,12 @@ var init_client = __esm({
         }
         let result;
         try {
+          const configPath = process.platform === "win32" ? "NUL" : "/dev/null";
           result = await this.runner.run(
             this.sopsCommand,
             [
+              "--config",
+              configPath,
               "encrypt",
               ...args,
               "--input-type",
@@ -20122,8 +20143,15 @@ var init_client = __esm({
           pgp_fingerprint: manifest.sops.pgp_fingerprint
         };
         switch (config.backend) {
-          case "age":
+          case "age": {
+            const envRecipients = environment ? resolveRecipientsForEnvironment(manifest, environment) : void 0;
+            const recipients = envRecipients ?? manifest.sops.age?.recipients ?? [];
+            const keys = recipients.map((r) => typeof r === "string" ? r : r.key);
+            if (keys.length > 0) {
+              args.push("--age", keys.join(","));
+            }
             break;
+          }
           case "awskms":
             if (config.aws_kms_arn) {
               args.push("--kms", config.aws_kms_arn);
@@ -22271,14 +22299,13 @@ var init_resolve = __esm({
 import * as crypto3 from "crypto";
 function buildSigningPayload(artifact) {
   const fields = [
-    "clef-sig-v2",
+    "clef-sig-v3",
     String(artifact.version),
     artifact.identity,
     artifact.environment,
     artifact.revision,
     artifact.packedAt,
     artifact.ciphertextHash,
-    [...artifact.keys].sort().join(","),
     artifact.expiresAt ?? "",
     artifact.envelope?.provider ?? "",
     artifact.envelope?.keyId ?? "",
@@ -22416,7 +22443,6 @@ var init_packer = __esm({
               revision,
               ciphertextHash,
               ciphertext,
-              keys: Object.keys(resolved.values),
               envelope: {
                 provider: kmsConfig.provider,
                 keyId: kmsConfig.keyId,
@@ -22450,8 +22476,7 @@ var init_packer = __esm({
             packedAt: (/* @__PURE__ */ new Date()).toISOString(),
             revision,
             ciphertextHash,
-            ciphertext,
-            keys: Object.keys(resolved.values)
+            ciphertext
           };
         }
         const outputDir = path19.dirname(config.outputPath);
@@ -22536,7 +22561,7 @@ var init_backend = __esm({
         this.encryption = encryption;
         this.matrixManager = matrixManager;
       }
-      async migrate(manifest, repoRoot, options, callbacks, onProgress) {
+      async migrate(manifest, repoRoot, options, onProgress) {
         const { target, environment, dryRun, skipVerify } = options;
         if (environment) {
           const env = manifest.environments.find((e) => e.name === environment);
@@ -22606,14 +22631,11 @@ var init_backend = __esm({
         }
         const manifestPath = path20.join(repoRoot, CLEF_MANIFEST_FILENAME);
         const manifestBackup = fs17.readFileSync(manifestPath, "utf-8");
-        const sopsYamlPath = path20.join(repoRoot, ".sops.yaml");
-        const sopsYamlBackup = fs17.existsSync(sopsYamlPath) ? fs17.readFileSync(sopsYamlPath, "utf-8") : void 0;
         const fileBackups = /* @__PURE__ */ new Map();
         const doc = readManifestYaml(repoRoot);
         this.updateManifestDoc(doc, target, environment);
         writeManifestYaml(repoRoot, doc);
         const updatedManifest = YAML11.parse(YAML11.stringify(doc));
-        callbacks.regenerateSopsConfig();
         const migratedFiles = [];
         for (const cell of toMigrate) {
           try {
@@ -22632,7 +22654,7 @@ var init_backend = __esm({
             );
             migratedFiles.push(cell.filePath);
           } catch (err) {
-            this.rollback(manifestPath, manifestBackup, sopsYamlPath, sopsYamlBackup, fileBackups);
+            this.rollback(manifestPath, manifestBackup, fileBackups);
             const errorMsg = err instanceof Error ? err.message : String(err);
             onProgress?.({
               type: "warn",
@@ -22696,15 +22718,10 @@ var init_backend = __esm({
           }
         }
       }
-      rollback(manifestPath, manifestBackup, sopsYamlPath, sopsYamlBackup, fileBackups) {
+      rollback(manifestPath, manifestBackup, fileBackups) {
         for (const [filePath, backup] of fileBackups) {
           fs17.writeFileSync(filePath, backup, "utf-8");
         }
-        if (sopsYamlBackup !== void 0) {
-          fs17.writeFileSync(sopsYamlPath, sopsYamlBackup, "utf-8");
-        } else if (fs17.existsSync(sopsYamlPath)) {
-          fs17.unlinkSync(sopsYamlPath);
-        }
         fs17.writeFileSync(manifestPath, manifestBackup, "utf-8");
       }
       checkAgeRecipientsWarning(manifest, target, environment, warnings) {
@@ -22934,7 +22951,7 @@ var require_ms = __commonJS({
       options = options || {};
       var type = typeof val;
       if (type === "string" && val.length > 0) {
-        return parse16(val);
+        return parse15(val);
       } else if (type === "number" && isFinite(val)) {
         return options.long ? fmtLong(val) : fmtShort(val);
       }
@@ -22942,7 +22959,7 @@ var require_ms = __commonJS({
         "val is not a non-empty string or a valid number. val=" + JSON.stringify(val)
       );
     };
-    function parse16(str2) {
+    function parse15(str2) {
       str2 = String(str2);
       if (str2.length > 100) {
         return;
@@ -24381,7 +24398,7 @@ var require_bytes = __commonJS({
     "use strict";
     module.exports = bytes;
     module.exports.format = format;
-    module.exports.parse = parse16;
+    module.exports.parse = parse15;
     var formatThousandsRegExp = /\B(?=(\d{3})+(?!\d))/g;
     var formatDecimalsRegExp = /(?:\.0*|(\.[^0]+)0+)$/;
     var map = {
@@ -24395,7 +24412,7 @@ var require_bytes = __commonJS({
     var parseRegExp = /^((-|\+)?(\d+(?:\.\d+)?)) *(kb|mb|gb|tb|pb)$/i;
     function bytes(value, options) {
       if (typeof value === "string") {
-        return parse16(value);
+        return parse15(value);
       }
       if (typeof value === "number") {
         return format(value, options);
@@ -24439,7 +24456,7 @@ var require_bytes = __commonJS({
       }
       return str2 + unitSeparator + unit;
     }
-    function parse16(val) {
+    function parse15(val) {
       if (typeof val === "number" && !isNaN(val)) {
         return val;
       }
@@ -28644,7 +28661,7 @@ var require_content_type = __commonJS({
     var QUOTE_REGEXP = /([\\"])/g;
     var TYPE_REGEXP = /^[!#$%&'*+.^_`|~0-9A-Za-z-]+\/[!#$%&'*+.^_`|~0-9A-Za-z-]+$/;
     exports.format = format;
-    exports.parse = parse16;
+    exports.parse = parse15;
     function format(obj) {
       if (!obj || typeof obj !== "object") {
         throw new TypeError("argument obj is required");
@@ -28668,7 +28685,7 @@ var require_content_type = __commonJS({
       }
       return string;
     }
-    function parse16(string) {
+    function parse15(string) {
       if (!string) {
         throw new TypeError("argument string is required");
       }
@@ -38250,7 +38267,7 @@ var require_media_typer = __commonJS({
     var TYPE_NAME_REGEXP = /^[A-Za-z0-9][A-Za-z0-9!#$&^_-]{0,126}$/;
     var TYPE_REGEXP = /^ *([A-Za-z0-9][A-Za-z0-9!#$&^_-]{0,126})\/([A-Za-z0-9][A-Za-z0-9!#$&^_.+-]{0,126}) *$/;
     exports.format = format;
-    exports.parse = parse16;
+    exports.parse = parse15;
     exports.test = test;
     function format(obj) {
       if (!obj || typeof obj !== "object") {
@@ -38283,7 +38300,7 @@ var require_media_typer = __commonJS({
       }
       return TYPE_REGEXP.test(string.toLowerCase());
     }
-    function parse16(string) {
+    function parse15(string) {
       if (!string) {
         throw new TypeError("argument string is required");
       }
@@ -38469,7 +38486,7 @@ var require_read = __commonJS({
     var hasBody = require_type_is().hasBody;
     var { getCharset } = require_utils();
     module.exports = read2;
-    function read2(req, res, next, parse16, debug, options) {
+    function read2(req, res, next, parse15, debug, options) {
       if (onFinished.isFinished(req)) {
         debug("body already parsed");
         next();
@@ -38557,7 +38574,7 @@ var require_read = __commonJS({
         try {
           debug("parse body");
           str2 = typeof body !== "string" && encoding !== null ? iconv.decode(body, encoding) : body;
-          req.body = parse16(str2, encoding);
+          req.body = parse15(str2, encoding);
         } catch (err) {
           next(createError(400, err, {
             body: str2,
@@ -38630,7 +38647,7 @@ var require_json = __commonJS({
       const normalizedOptions = normalizeOptions(options, "application/json");
       var reviver = options?.reviver;
       var strict = options?.strict !== false;
-      function parse16(body) {
+      function parse15(body) {
         if (body.length === 0) {
           return {};
         }
@@ -38657,7 +38674,7 @@ var require_json = __commonJS({
         isValidCharset: (charset) => charset.slice(0, 4) === "utf-"
       };
       return function jsonParser(req, res, next) {
-        read2(req, res, next, parse16, debug, readOptions);
+        read2(req, res, next, parse15, debug, readOptions);
       };
     }
     function createStrictSyntaxError(str2, char) {
@@ -41235,11 +41252,11 @@ var require_lib2 = __commonJS({
   "../../node_modules/qs/lib/index.js"(exports, module) {
     "use strict";
     var stringify8 = require_stringify2();
-    var parse16 = require_parse();
+    var parse15 = require_parse();
     var formats = require_formats();
     module.exports = {
       formats,
-      parse: parse16,
+      parse: parse15,
       stringify: stringify8
     };
   }
@@ -41261,7 +41278,7 @@ var require_urlencoded = __commonJS({
         throw new TypeError("option defaultCharset must be either utf-8 or iso-8859-1");
       }
       var queryparse = createQueryParser(options);
-      function parse16(body, encoding) {
+      function parse15(body, encoding) {
         return body.length ? queryparse(body, encoding) : {};
       }
       const readOptions = {
@@ -41270,7 +41287,7 @@ var require_urlencoded = __commonJS({
         isValidCharset: (charset) => charset === "utf-8" || charset === "iso-8859-1"
       };
       return function urlencodedParser(req, res, next) {
-        read2(req, res, next, parse16, debug, readOptions);
+        read2(req, res, next, parse15, debug, readOptions);
       };
     }
     function createQueryParser(options) {
@@ -41454,7 +41471,7 @@ var require_parseurl = __commonJS({
   "../../node_modules/parseurl/index.js"(exports, module) {
     "use strict";
     var url = __require("url");
-    var parse16 = url.parse;
+    var parse15 = url.parse;
     var Url = url.Url;
     module.exports = parseurl;
     module.exports.original = originalurl;
@@ -41486,7 +41503,7 @@ var require_parseurl = __commonJS({
     }
     function fastparse(str2) {
       if (typeof str2 !== "string" || str2.charCodeAt(0) !== 47) {
-        return parse16(str2);
+        return parse15(str2);
       }
       var pathname = str2;
       var query = null;
@@ -41514,7 +41531,7 @@ var require_parseurl = __commonJS({
           /* #  */
           case 160:
           case 65279:
-            return parse16(str2);
+            return parse15(str2);
         }
       }
       var url2 = Url !== void 0 ? new Url() : {};
@@ -51310,7 +51327,7 @@ var require_forwarded = __commonJS({
       if (!req) {
         throw new TypeError("argument req is required");
       }
-      var proxyAddrs = parse16(req.headers["x-forwarded-for"] || "");
+      var proxyAddrs = parse15(req.headers["x-forwarded-for"] || "");
       var socketAddr = getSocketAddr(req);
       var addrs = [socketAddr].concat(proxyAddrs);
       return addrs;
@@ -51318,7 +51335,7 @@ var require_forwarded = __commonJS({
     function getSocketAddr(req) {
       return req.socket ? req.socket.remoteAddress : req.connection.remoteAddress;
     }
-    function parse16(header) {
+    function parse15(header) {
       var end = header.length;
       var list = [];
       var start = header.length;
@@ -52347,7 +52364,7 @@ var require_dist2 = __commonJS({
     "use strict";
     Object.defineProperty(exports, "__esModule", { value: true });
     exports.PathError = exports.TokenData = void 0;
-    exports.parse = parse16;
+    exports.parse = parse15;
     exports.compile = compile;
     exports.match = match;
     exports.pathToRegexp = pathToRegexp;
@@ -52382,7 +52399,7 @@ var require_dist2 = __commonJS({
       }
     };
     exports.PathError = PathError;
-    function parse16(str2, options = {}) {
+    function parse15(str2, options = {}) {
       const { encodePath = NOOP_VALUE } = options;
       const chars = [...str2];
       const tokens = [];
@@ -52471,7 +52488,7 @@ var require_dist2 = __commonJS({
     }
     function compile(path47, options = {}) {
       const { encode: encode2 = encodeURIComponent, delimiter = DEFAULT_DELIMITER } = options;
-      const data = typeof path47 === "object" ? path47 : parse16(path47, options);
+      const data = typeof path47 === "object" ? path47 : parse15(path47, options);
       const fn = tokensToFunction(data.tokens, delimiter, encode2);
       return function path48(params = {}) {
         const [path49, ...missing] = fn(params);
@@ -52572,7 +52589,7 @@ var require_dist2 = __commonJS({
           paths.push(...path48);
           continue;
         }
-        const data = typeof path48 === "object" ? path48 : parse16(path48, options);
+        const data = typeof path48 === "object" ? path48 : parse15(path48, options);
         flatten2(data.tokens, 0, [], (tokens) => {
           if (combinations++ >= 256) {
             throw new PathError("Too many path combinations", data.originalPath);
@@ -63897,7 +63914,7 @@ var require_request = __commonJS({
     var http = __require("node:http");
     var fresh = require_fresh();
     var parseRange = require_range_parser();
-    var parse16 = require_parseurl();
+    var parse15 = require_parseurl();
     var proxyaddr = require_proxy_addr();
     var req = Object.create(http.IncomingMessage.prototype);
     module.exports = req;
@@ -63942,7 +63959,7 @@ var require_request = __commonJS({
       if (!queryparse) {
         return /* @__PURE__ */ Object.create(null);
       }
-      var querystring = parse16(this).query;
+      var querystring = parse15(this).query;
       return queryparse(querystring);
     });
     req.is = function is(types) {
@@ -63986,7 +64003,7 @@ var require_request = __commonJS({
       return subdomains2.slice(offset);
     });
     defineGetter(req, "path", function path47() {
-      return parse16(this).pathname;
+      return parse15(this).pathname;
     });
     defineGetter(req, "host", function host() {
       var trust = this.app.get("trust proxy fn");
@@ -64040,7 +64057,7 @@ var require_content_disposition = __commonJS({
   "../../node_modules/content-disposition/index.js"(exports, module) {
     "use strict";
     module.exports = contentDisposition;
-    module.exports.parse = parse16;
+    module.exports.parse = parse15;
     var basename5 = __require("path").basename;
     var ENCODE_URL_ATTR_CHAR_REGEXP = /[\x00-\x20"'()*,/:;<=>?@[\\\]{}\x7f]/g;
     var HEX_ESCAPE_REGEXP = /%[0-9A-Fa-f]{2}/;
@@ -64131,7 +64148,7 @@ var require_content_disposition = __commonJS({
     function getlatin1(val) {
       return String(val).replace(NON_LATIN1_REGEXP, "?");
     }
-    function parse16(string) {
+    function parse15(string) {
       if (!string || typeof string !== "string") {
         throw new TypeError("argument string is required");
       }
@@ -64220,7 +64237,7 @@ var require_cookie_signature = __commonJS({
 var require_cookie = __commonJS({
   "../../node_modules/cookie/index.js"(exports) {
     "use strict";
-    exports.parse = parse16;
+    exports.parse = parse15;
     exports.serialize = serialize;
     var __toString = Object.prototype.toString;
     var __hasOwnProperty = Object.prototype.hasOwnProperty;
@@ -64228,7 +64245,7 @@ var require_cookie = __commonJS({
     var cookieValueRegExp = /^("?)[\u0021\u0023-\u002B\u002D-\u003A\u003C-\u005B\u005D-\u007E]*\1$/;
     var domainValueRegExp = /^([.]?[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)([.][a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)*$/i;
     var pathValueRegExp = /^[\u0020-\u003A\u003D-\u007E]*$/;
-    function parse16(str2, opt) {
+    function parse15(str2, opt) {
       if (typeof str2 !== "string") {
         throw new TypeError("argument str must be a string");
       }
@@ -74384,7 +74401,7 @@ var require_vary = __commonJS({
       if (!field) {
         throw new TypeError("field argument is required");
       }
-      var fields = !Array.isArray(field) ? parse16(String(field)) : field;
+      var fields = !Array.isArray(field) ? parse15(String(field)) : field;
       for (var j = 0; j < fields.length; j++) {
         if (!FIELD_NAME_REGEXP.test(fields[j])) {
           throw new TypeError("field argument contains an invalid header name");
@@ -74394,7 +74411,7 @@ var require_vary = __commonJS({
         return header;
       }
       var val = header;
-      var vals = parse16(header.toLowerCase());
+      var vals = parse15(header.toLowerCase());
       if (fields.indexOf("*") !== -1 || vals.indexOf("*") !== -1) {
         return "*";
       }
@@ -74407,7 +74424,7 @@ var require_vary = __commonJS({
       }
       return val;
     }
-    function parse16(header) {
+    function parse15(header) {
       var end = 0;
       var list = [];
       var start = 0;
@@ -75868,161 +75885,6 @@ var require_dist3 = __commonJS({
   }
 });
-// ../ui/dist/server/sops-config.js
-var require_sops_config = __commonJS({
-  "../ui/dist/server/sops-config.js"(exports) {
-    "use strict";
-    var __createBinding = exports && exports.__createBinding || (Object.create ? (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      var desc = Object.getOwnPropertyDescriptor(m, k);
-      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-        desc = { enumerable: true, get: function() {
-          return m[k];
-        } };
-      }
-      Object.defineProperty(o, k2, desc);
-    }) : (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      o[k2] = m[k];
-    }));
-    var __setModuleDefault = exports && exports.__setModuleDefault || (Object.create ? (function(o, v) {
-      Object.defineProperty(o, "default", { enumerable: true, value: v });
-    }) : function(o, v) {
-      o["default"] = v;
-    });
-    var __importStar = exports && exports.__importStar || /* @__PURE__ */ (function() {
-      var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function(o2) {
-          var ar = [];
-          for (var k in o2) if (Object.prototype.hasOwnProperty.call(o2, k)) ar[ar.length] = k;
-          return ar;
-        };
-        return ownKeys(o);
-      };
-      return function(mod3) {
-        if (mod3 && mod3.__esModule) return mod3;
-        var result = {};
-        if (mod3 != null) {
-          for (var k = ownKeys(mod3), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod3, k[i]);
-        }
-        __setModuleDefault(result, mod3);
-        return result;
-      };
-    })();
-    Object.defineProperty(exports, "__esModule", { value: true });
-    exports.scaffoldSopsConfig = scaffoldSopsConfig2;
-    var fs28 = __importStar(__require("fs"));
-    var path47 = __importStar(__require("path"));
-    var YAML15 = __importStar(require_dist());
-    var core_1 = (init_src(), __toCommonJS(src_exports));
-    function scaffoldSopsConfig2(repoRoot, ageKeyFile, ageKey) {
-      const parser = new core_1.ManifestParser();
-      const manifest = parser.parse(path47.join(repoRoot, "clef.yaml"));
-      const sopsYamlPath = path47.join(repoRoot, ".sops.yaml");
-      let agePublicKey;
-      if (manifest.sops.default_backend === "age") {
-        agePublicKey = resolveAgePublicKey(repoRoot, ageKeyFile, ageKey);
-      }
-      const sopsConfig = buildSopsYaml2(manifest, agePublicKey);
-      fs28.writeFileSync(sopsYamlPath, YAML15.stringify(sopsConfig), "utf-8");
-    }
-    function buildSopsYaml2(manifest, agePublicKey) {
-      const creationRules = [];
-      for (const ns of manifest.namespaces) {
-        for (const env of manifest.environments) {
-          const pathRegex = `${ns.name}/${env.name}\\.enc\\.yaml$`;
-          const rule = { path_regex: pathRegex };
-          const backend = env.sops?.backend ?? manifest.sops.default_backend;
-          switch (backend) {
-            case "age": {
-              const envRecipients = (0, core_1.resolveRecipientsForEnvironment)(manifest, env.name);
-              if (envRecipients && envRecipients.length > 0) {
-                const keys = envRecipients.map((r) => typeof r === "string" ? r : r.key);
-                rule.age = keys.join(",");
-              } else if (agePublicKey) {
-                rule.age = agePublicKey;
-              }
-              break;
-            }
-            case "awskms": {
-              const arn = env.sops?.aws_kms_arn ?? manifest.sops.aws_kms_arn;
-              if (arn)
-                rule.kms = arn;
-              break;
-            }
-            case "gcpkms": {
-              const resourceId = env.sops?.gcp_kms_resource_id ?? manifest.sops.gcp_kms_resource_id;
-              if (resourceId)
-                rule.gcp_kms = resourceId;
-              break;
-            }
-            case "azurekv": {
-              const kvUrl = env.sops?.azure_kv_url ?? manifest.sops.azure_kv_url;
-              if (kvUrl)
-                rule.azure_keyvault = kvUrl;
-              break;
-            }
-            case "pgp": {
-              const fingerprint = env.sops?.pgp_fingerprint ?? manifest.sops.pgp_fingerprint;
-              if (fingerprint)
-                rule.pgp = fingerprint;
-              break;
-            }
-          }
-          creationRules.push(rule);
-        }
-      }
-      return { creation_rules: creationRules };
-    }
-    function resolveAgePublicKey(repoRoot, ageKeyFile, ageKey) {
-      if (ageKeyFile) {
-        const pubKey = extractAgePublicKey2(ageKeyFile);
-        if (pubKey)
-          return pubKey;
-      }
-      if (ageKey) {
-        const match = ageKey.match(/# public key: (age1[a-z0-9]+)/);
-        if (match)
-          return match[1];
-      }
-      if (process.env.CLEF_AGE_KEY_FILE) {
-        const pubKey = extractAgePublicKey2(process.env.CLEF_AGE_KEY_FILE);
-        if (pubKey)
-          return pubKey;
-      }
-      if (process.env.CLEF_AGE_KEY) {
-        const match = process.env.CLEF_AGE_KEY.match(/# public key: (age1[a-z0-9]+)/);
-        if (match)
-          return match[1];
-      }
-      const clefConfigPath = path47.join(repoRoot, ".clef", "config.yaml");
-      if (fs28.existsSync(clefConfigPath)) {
-        try {
-          const config = YAML15.parse(fs28.readFileSync(clefConfigPath, "utf-8"));
-          if (config?.age_key_file) {
-            const pubKey = extractAgePublicKey2(config.age_key_file);
-            if (pubKey)
-              return pubKey;
-          }
-        } catch {
-        }
-      }
-      return void 0;
-    }
-    function extractAgePublicKey2(keyFilePath) {
-      try {
-        if (!fs28.existsSync(keyFilePath))
-          return void 0;
-        const content = fs28.readFileSync(keyFilePath, "utf-8");
-        const match = content.match(/# public key: (age1[a-z0-9]+)/);
-        return match ? match[1] : void 0;
-      } catch {
-        return void 0;
-      }
-    }
-  }
-});
 // ../ui/dist/server/api.js
 var require_api = __commonJS({
   "../ui/dist/server/api.js"(exports) {
@@ -76072,7 +75934,6 @@ var require_api = __commonJS({
     var express_1 = require_express2();
     var _useStdinFifo = process.platform === "linux" && !process.env.JEST_WORKER_ID;
     var core_1 = (init_src(), __toCommonJS(src_exports));
-    var sops_config_1 = require_sops_config();
     function createApiRouter(deps2) {
       const router = (0, express_1.Router)();
       const parser = new core_1.ManifestParser();
@@ -76085,7 +75946,7 @@ var require_api = __commonJS({
             return deps2.runner.run(cmd, args, {
               ...opts2,
               cwd: opts2?.cwd ?? deps2.repoRoot,
-              env: { SOPS_CONFIG: path47.join(deps2.repoRoot, ".sops.yaml"), ...opts2?.env }
+              env: opts2?.env
             });
           }
           const fifoDir = (0, child_process_1.execFileSync)("mktemp", ["-d", path47.join(os4.tmpdir(), "clef-fifo-XXXXXX")]).toString().trim();
@@ -76324,6 +76185,29 @@ var require_api = __commonJS({
           res.status(500).json({ error: "Failed to delete key", code: "DELETE_ERROR" });
         }
       });
+      router.post("/namespace/:ns/:env/:key/accept", async (req, res) => {
+        setNoCacheHeaders(res);
+        try {
+          const manifest = loadManifest();
+          const { ns, env, key } = req.params;
+          const nsExists = manifest.namespaces.some((n) => n.name === ns);
+          const envExists = manifest.environments.some((e) => e.name === env);
+          if (!nsExists || !envExists) {
+            res.status(404).json({
+              error: `Namespace '${ns}' or environment '${env}' not found in manifest.`,
+              code: "NOT_FOUND"
+            });
+            return;
+          }
+          const filePath = `${deps2.repoRoot}/${manifest.file_pattern.replace("{namespace}", ns).replace("{environment}", env)}`;
+          const decrypted = await sops.decrypt(filePath);
+          const value = key in decrypted.values ? String(decrypted.values[key]) : void 0;
+          await (0, core_1.markResolved)(filePath, [key]);
+          res.json({ success: true, key, value });
+        } catch {
+          res.status(500).json({ error: "Failed to accept pending value", code: "ACCEPT_ERROR" });
+        }
+      });
       router.post("/copy", async (req, res) => {
         try {
           const manifest = loadManifest();
@@ -76841,9 +76725,7 @@ var require_api = __commonJS({
             return;
           }
           const events = [];
-          const result = await backendMigrator.migrate(manifest, deps2.repoRoot, { target, environment, dryRun: true }, {
-            regenerateSopsConfig: () => (0, sops_config_1.scaffoldSopsConfig)(deps2.repoRoot, deps2.ageKeyFile, deps2.ageKey)
-          }, (event) => events.push(event));
+          const result = await backendMigrator.migrate(manifest, deps2.repoRoot, { target, environment, dryRun: true }, (event) => events.push(event));
           res.json({ success: !result.rolledBack, result, events });
         } catch (err) {
           const message = err instanceof Error ? err.message : "Migration preview failed";
@@ -76869,9 +76751,7 @@ var require_api = __commonJS({
             return;
           }
           const events = [];
-          const result = await backendMigrator.migrate(manifest, deps2.repoRoot, { target, environment, dryRun: false }, {
-            regenerateSopsConfig: () => (0, sops_config_1.scaffoldSopsConfig)(deps2.repoRoot, deps2.ageKeyFile, deps2.ageKey)
-          }, (event) => events.push(event));
+          const result = await backendMigrator.migrate(manifest, deps2.repoRoot, { target, environment, dryRun: false }, (event) => events.push(event));
           res.json({ success: !result.rolledBack, result, events });
         } catch (err) {
           const message = err instanceof Error ? err.message : "Migration failed";
@@ -77735,7 +77615,7 @@ var require_artifact_decryptor = __commonJS({
         } finally {
           plaintext = "";
         }
-        return { values, keys: artifact.keys, revision: artifact.revision };
+        return { values, keys: Object.keys(values), revision: artifact.revision };
       }
       /** KMS envelope: unwrap DEK via KMS, then AES-256-GCM decrypt. */
       async decryptKmsEnvelope(artifact) {
@@ -77836,14 +77716,13 @@ var require_signature = __commonJS({
     var crypto6 = __importStar(__require("crypto"));
     function buildSigningPayload2(artifact) {
       const fields = [
-        "clef-sig-v2",
+        "clef-sig-v3",
         String(artifact.version),
         artifact.identity,
         artifact.environment,
         artifact.revision,
         artifact.packedAt,
         artifact.ciphertextHash,
-        [...artifact.keys].sort().join(","),
         artifact.expiresAt ?? "",
         artifact.envelope?.provider ?? "",
         artifact.envelope?.keyId ?? "",
@@ -77976,7 +77855,6 @@ var require_poller = __commonJS({
         this.options.onRefresh?.(artifact.revision);
         this.telemetry?.artifactRefreshed({
           revision: artifact.revision,
-          keyCount: artifact.keys.length,
           kmsEnvelope: !!artifact.envelope
         });
       }
@@ -78133,14 +78011,15 @@ var require_poller = __commonJS({
         if (artifact.revision === this.lastRevision)
           return;
         const { values } = await this.decryptor.decrypt(artifact);
-        this.options.cache.swap(values, artifact.keys, artifact.revision);
+        const keys = Object.keys(values);
+        this.options.cache.swap(values, keys, artifact.revision);
         this.lastRevision = artifact.revision;
         this.lastContentHash = contentHash ?? null;
         this.lastExpiresAt = artifact.expiresAt ?? null;
         this.options.onRefresh?.(artifact.revision);
         this.telemetry?.artifactRefreshed({
           revision: artifact.revision,
-          keyCount: artifact.keys.length,
+          keyCount: keys.length,
           kmsEnvelope: !!artifact.envelope
         });
       }
@@ -78263,10 +78142,6 @@ var require_encrypted_artifact_store = __commonJS({
       getStoredAt() {
         return this._storedAt;
       }
-      /** Get key names from the stored artifact metadata (no decryption needed). */
-      getKeys() {
-        return this.artifact ? [...this.artifact.keys] : [];
-      }
       /** Get the revision from the stored artifact. */
       getRevision() {
         return this.artifact?.revision ?? null;
@@ -78748,12 +78623,228 @@ var require_vcs2 = __commonJS({
   }
 });
+// ../runtime/dist/sources/s3.js
+var require_s3 = __commonJS({
+  "../runtime/dist/sources/s3.js"(exports) {
+    "use strict";
+    var __createBinding = exports && exports.__createBinding || (Object.create ? (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      var desc = Object.getOwnPropertyDescriptor(m, k);
+      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+        desc = { enumerable: true, get: function() {
+          return m[k];
+        } };
+      }
+      Object.defineProperty(o, k2, desc);
+    }) : (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      o[k2] = m[k];
+    }));
+    var __setModuleDefault = exports && exports.__setModuleDefault || (Object.create ? (function(o, v) {
+      Object.defineProperty(o, "default", { enumerable: true, value: v });
+    }) : function(o, v) {
+      o["default"] = v;
+    });
+    var __importStar = exports && exports.__importStar || /* @__PURE__ */ (function() {
+      var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function(o2) {
+          var ar = [];
+          for (var k in o2) if (Object.prototype.hasOwnProperty.call(o2, k)) ar[ar.length] = k;
+          return ar;
+        };
+        return ownKeys(o);
+      };
+      return function(mod3) {
+        if (mod3 && mod3.__esModule) return mod3;
+        var result = {};
+        if (mod3 != null) {
+          for (var k = ownKeys(mod3), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod3, k[i]);
+        }
+        __setModuleDefault(result, mod3);
+        return result;
+      };
+    })();
+    Object.defineProperty(exports, "__esModule", { value: true });
+    exports.S3ArtifactSource = void 0;
+    exports.isS3Url = isS3Url;
+    var crypto6 = __importStar(__require("crypto"));
+    function isS3Url(url) {
+      return parseS3UrlSafe(url) !== null;
+    }
+    function parseS3Url(url) {
+      const loc = parseS3UrlSafe(url);
+      if (!loc)
+        throw new Error(`Not a valid S3 URL: ${url}`);
+      return loc;
+    }
+    function parseS3UrlSafe(url) {
+      let u;
+      try {
+        u = new URL(url);
+      } catch {
+        return null;
+      }
+      if (u.protocol !== "https:")
+        return null;
+      const host = u.hostname;
+      const key = u.pathname.slice(1);
+      if (!key)
+        return null;
+      const vhMatch = host.match(/^(.+)\.s3\.([a-z0-9-]+)\.amazonaws\.com$/) ?? host.match(/^(.+)\.s3\.amazonaws\.com$/);
+      if (vhMatch) {
+        return { bucket: vhMatch[1], key, region: vhMatch[2] || "us-east-1" };
+      }
+      const psMatch = host.match(/^s3\.([a-z0-9-]+)\.amazonaws\.com$/) ?? host.match(/^s3\.amazonaws\.com$/);
+      if (psMatch) {
+        const slashIdx = key.indexOf("/");
+        if (slashIdx < 0)
+          return null;
+        return {
+          bucket: key.slice(0, slashIdx),
+          key: key.slice(slashIdx + 1),
+          region: psMatch[1] || "us-east-1"
+        };
+      }
+      return null;
+    }
+    var S3ArtifactSource = class {
+      url;
+      location;
+      cachedCredentials = null;
+      constructor(url) {
+        this.url = url;
+        this.location = parseS3Url(url);
+      }
+      async fetch() {
+        const creds = await this.resolveCredentials();
+        const { bucket, key, region } = this.location;
+        const host = `${bucket}.s3.${region}.amazonaws.com`;
+        const path47 = `/${encodeS3Key(key)}`;
+        const now = /* @__PURE__ */ new Date();
+        const headers = signS3GetRequest(host, path47, region, creds, now);
+        const res = await globalThis.fetch(`https://${host}${path47}`, { headers });
+        if (!res.ok) {
+          throw new Error(`Failed to fetch artifact from ${this.describe()}: ${res.status} ${res.statusText}`);
+        }
+        const raw = await res.text();
+        const etag = res.headers.get("etag") ?? void 0;
+        return { raw, contentHash: etag };
+      }
+      describe() {
+        const { bucket, key } = this.location;
+        return `S3 s3://${bucket}/${key}`;
+      }
+      async resolveCredentials() {
+        if (this.cachedCredentials && Date.now() < this.cachedCredentials.expiresAt - 3e5) {
+          return this.cachedCredentials.creds;
+        }
+        const relativeUri = process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI;
+        if (relativeUri) {
+          return this.fetchEcsCredentials(`http://169.254.170.2${relativeUri}`);
+        }
+        const fullUri = process.env.AWS_CONTAINER_CREDENTIALS_FULL_URI;
+        if (fullUri) {
+          return this.fetchEcsCredentials(fullUri);
+        }
+        const accessKeyId = process.env.AWS_ACCESS_KEY_ID;
+        const secretAccessKey = process.env.AWS_SECRET_ACCESS_KEY;
+        if (accessKeyId && secretAccessKey) {
+          return {
+            accessKeyId,
+            secretAccessKey,
+            sessionToken: process.env.AWS_SESSION_TOKEN
+          };
+        }
+        throw new Error("No AWS credentials found. Set AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, or run in ECS/Fargate with a task role.");
+      }
+      async fetchEcsCredentials(endpoint) {
+        const headers = {};
+        const authToken = process.env.AWS_CONTAINER_AUTHORIZATION_TOKEN;
+        if (authToken) {
+          headers["Authorization"] = authToken;
+        }
+        const res = await globalThis.fetch(endpoint, { headers });
+        if (!res.ok) {
+          throw new Error(`Failed to fetch ECS credentials: ${res.status} ${res.statusText}`);
+        }
+        const data = await res.json();
+        const creds = {
+          accessKeyId: data.AccessKeyId,
+          secretAccessKey: data.SecretAccessKey,
+          sessionToken: data.Token
+        };
+        if (data.Expiration) {
+          this.cachedCredentials = {
+            creds,
+            expiresAt: new Date(data.Expiration).getTime()
+          };
+        }
+        return creds;
+      }
+    };
+    exports.S3ArtifactSource = S3ArtifactSource;
+    function hmacSha256(key, data) {
+      return crypto6.createHmac("sha256", key).update(data, "utf-8").digest();
+    }
+    function sha256Hex(data) {
+      return crypto6.createHash("sha256").update(data, "utf-8").digest("hex");
+    }
+    function toAmzDate(date) {
+      return date.toISOString().replace(/[-:]/g, "").replace(/\.\d{3}/, "");
+    }
+    function toDateStamp(date) {
+      return toAmzDate(date).slice(0, 8);
+    }
+    function encodeS3Key(key) {
+      return key.split("/").map((s) => encodeURIComponent(s)).join("/");
+    }
+    function signS3GetRequest(host, path47, region, creds, now) {
+      const amzDate = toAmzDate(now);
+      const dateStamp = toDateStamp(now);
+      const service = "s3";
+      const scope = `${dateStamp}/${region}/${service}/aws4_request`;
+      const headers = {
+        host,
+        "x-amz-date": amzDate,
+        "x-amz-content-sha256": "UNSIGNED-PAYLOAD"
+      };
+      if (creds.sessionToken) {
+        headers["x-amz-security-token"] = creds.sessionToken;
+      }
+      const signedHeaderKeys = Object.keys(headers).sort();
+      const signedHeaders = signedHeaderKeys.join(";");
+      const canonicalHeaders = signedHeaderKeys.map((k) => `${k}:${headers[k]}
+`).join("");
+      const canonicalRequest = [
+        "GET",
+        path47,
+        "",
+        // no query string
+        canonicalHeaders,
+        signedHeaders,
+        "UNSIGNED-PAYLOAD"
+      ].join("\n");
+      const stringToSign = ["AWS4-HMAC-SHA256", amzDate, scope, sha256Hex(canonicalRequest)].join("\n");
+      const kDate = hmacSha256(`AWS4${creds.secretAccessKey}`, dateStamp);
+      const kRegion = hmacSha256(kDate, region);
+      const kService = hmacSha256(kRegion, service);
+      const kSigning = hmacSha256(kService, "aws4_request");
+      const signature = hmacSha256(kSigning, stringToSign).toString("hex");
+      const authorization = `AWS4-HMAC-SHA256 Credential=${creds.accessKeyId}/${scope}, SignedHeaders=${signedHeaders}, Signature=${signature}`;
+      return {
+        ...headers,
+        Authorization: authorization
+      };
+    }
+  }
+});
 // ../runtime/dist/index.js
 var require_dist4 = __commonJS({
   "../runtime/dist/index.js"(exports) {
     "use strict";
     Object.defineProperty(exports, "__esModule", { value: true });
-    exports.ClefRuntime = exports.verifySignature = exports.buildSigningPayload = exports.VcsArtifactSource = exports.FileArtifactSource = exports.HttpArtifactSource = exports.createKmsProvider = exports.AwsKmsProvider = exports.createVcsProvider = exports.BitbucketProvider = exports.GitLabProvider = exports.GitHubProvider = exports.TelemetryEmitter = exports.EncryptedArtifactStore = exports.ArtifactDecryptor = exports.ArtifactPoller = exports.AgeDecryptor = exports.DiskCache = exports.SecretsCache = void 0;
+    exports.ClefRuntime = exports.verifySignature = exports.buildSigningPayload = exports.isS3Url = exports.S3ArtifactSource = exports.VcsArtifactSource = exports.FileArtifactSource = exports.HttpArtifactSource = exports.createKmsProvider = exports.AwsKmsProvider = exports.createVcsProvider = exports.BitbucketProvider = exports.GitLabProvider = exports.GitHubProvider = exports.TelemetryEmitter = exports.EncryptedArtifactStore = exports.ArtifactDecryptor = exports.ArtifactPoller = exports.AgeDecryptor = exports.DiskCache = exports.SecretsCache = void 0;
     exports.init = init;
     var secrets_cache_1 = require_secrets_cache();
     Object.defineProperty(exports, "SecretsCache", { enumerable: true, get: function() {
@@ -78819,6 +78910,13 @@ var require_dist4 = __commonJS({
     Object.defineProperty(exports, "VcsArtifactSource", { enumerable: true, get: function() {
       return vcs_1.VcsArtifactSource;
     } });
+    var s3_1 = require_s3();
+    Object.defineProperty(exports, "S3ArtifactSource", { enumerable: true, get: function() {
+      return s3_1.S3ArtifactSource;
+    } });
+    Object.defineProperty(exports, "isS3Url", { enumerable: true, get: function() {
+      return s3_1.isS3Url;
+    } });
     var signature_1 = require_signature();
     Object.defineProperty(exports, "buildSigningPayload", { enumerable: true, get: function() {
       return signature_1.buildSigningPayload;
@@ -78834,6 +78932,7 @@ var require_dist4 = __commonJS({
     var vcs_2 = require_vcs2();
     var http_2 = require_http();
     var file_2 = require_file();
+    var s3_2 = require_s3();
     var ClefRuntime = class {
       cache = new secrets_cache_2.SecretsCache();
       poller;
@@ -78927,6 +79026,9 @@ var require_dist4 = __commonJS({
           return new vcs_2.VcsArtifactSource(provider, config.identity, config.environment);
         }
         if (config.source) {
+          if ((0, s3_2.isS3Url)(config.source)) {
+            return new s3_2.S3ArtifactSource(config.source);
+          }
           if (config.source.startsWith("http://") || config.source.startsWith("https://")) {
             return new http_2.HttpArtifactSource(config.source);
           }
@@ -79859,12 +79961,6 @@ async function handleFullSetup(repoRoot, manifestPath, clefConfigPath, deps2, op
   }
   fs18.writeFileSync(manifestPath, YAML12.stringify(manifestDoc), "utf-8");
   formatter.success("Created clef.yaml");
-  {
-    const sopsYamlPath = path21.join(repoRoot, ".sops.yaml");
-    const sopsConfig = buildSopsYaml(manifest, repoRoot, publicKey);
-    fs18.writeFileSync(sopsYamlPath, YAML12.stringify(sopsConfig), "utf-8");
-    formatter.success("Created .sops.yaml");
-  }
   const sopsClient = new SopsClient(deps2.runner, ageKeyFile, ageKey);
   const matrixManager = new MatrixManager();
   const cells = matrixManager.resolveMatrix(manifest, repoRoot);
@@ -79942,102 +80038,6 @@ async function handleFullSetup(repoRoot, manifestPath, clefConfigPath, deps2, op
   formatter.hint("clef lint  \u2014 check repo health");
   formatter.hint("clef ui    \u2014 open the web UI");
 }
-function scaffoldSopsConfig(repoRoot) {
-  const manifestPath = path21.join(repoRoot, "clef.yaml");
-  const parser = new ManifestParser();
-  const manifest = parser.parse(manifestPath);
-  const sopsYamlPath = path21.join(repoRoot, ".sops.yaml");
-  let agePublicKey;
-  if (manifest.sops.default_backend === "age") {
-    agePublicKey = resolveAgePublicKeyFromEnvOrFile(repoRoot);
-  }
-  const sopsConfig = buildSopsYaml(manifest, repoRoot, agePublicKey);
-  fs18.writeFileSync(sopsYamlPath, YAML12.stringify(sopsConfig), "utf-8");
-}
-function buildSopsYaml(manifest, _repoRoot, agePublicKey) {
-  const creationRules = [];
-  for (const ns of manifest.namespaces) {
-    for (const env of manifest.environments) {
-      const pathRegex = `${ns.name}/${env.name}\\.enc\\.yaml$`;
-      const rule = { path_regex: pathRegex };
-      const backend = env.sops?.backend ?? manifest.sops.default_backend;
-      switch (backend) {
-        case "age": {
-          const envRecipients = resolveRecipientsForEnvironment(manifest, env.name);
-          if (envRecipients && envRecipients.length > 0) {
-            const keys = envRecipients.map((r) => typeof r === "string" ? r : r.key);
-            rule.age = keys.join(",");
-          } else if (agePublicKey) {
-            rule.age = agePublicKey;
-          }
-          break;
-        }
-        case "awskms": {
-          const arn = env.sops?.aws_kms_arn ?? manifest.sops.aws_kms_arn;
-          if (arn) {
-            rule.kms = arn;
-          }
-          break;
-        }
-        case "gcpkms": {
-          const resourceId = env.sops?.gcp_kms_resource_id ?? manifest.sops.gcp_kms_resource_id;
-          if (resourceId) {
-            rule.gcp_kms = resourceId;
-          }
-          break;
-        }
-        case "azurekv": {
-          const kvUrl = env.sops?.azure_kv_url ?? manifest.sops.azure_kv_url;
-          if (kvUrl) {
-            rule.azure_keyvault = kvUrl;
-          }
-          break;
-        }
-        case "pgp": {
-          const fingerprint = env.sops?.pgp_fingerprint ?? manifest.sops.pgp_fingerprint;
-          if (fingerprint) {
-            rule.pgp = fingerprint;
-          }
-          break;
-        }
-      }
-      creationRules.push(rule);
-    }
-  }
-  return { creation_rules: creationRules };
-}
-function resolveAgePublicKeyFromEnvOrFile(repoRoot) {
-  if (process.env.CLEF_AGE_KEY_FILE) {
-    const pubKey = extractAgePublicKey(process.env.CLEF_AGE_KEY_FILE);
-    if (pubKey) return pubKey;
-  }
-  if (process.env.CLEF_AGE_KEY) {
-    const match = process.env.CLEF_AGE_KEY.match(/# public key: (age1[a-z0-9]+)/);
-    if (match) return match[1];
-  }
-  const clefConfigPath = path21.join(repoRoot, CLEF_DIR, CLEF_CONFIG_FILENAME);
-  if (fs18.existsSync(clefConfigPath)) {
-    try {
-      const config = YAML12.parse(fs18.readFileSync(clefConfigPath, "utf-8"));
-      if (config?.age_key_file) {
-        const pubKey = extractAgePublicKey(config.age_key_file);
-        if (pubKey) return pubKey;
-      }
-    } catch {
-    }
-  }
-  return void 0;
-}
-function extractAgePublicKey(keyFilePath) {
-  try {
-    if (!fs18.existsSync(keyFilePath)) return void 0;
-    const content = fs18.readFileSync(keyFilePath, "utf-8");
-    const match = content.match(/# public key: (age1[a-z0-9]+)/);
-    return match ? match[1] : void 0;
-  } catch {
-    return void 0;
-  }
-}
 async function scaffoldRandomValues(ns, manifest, schemaValidator, sopsClient, repoRoot, includeOptional, addCount) {
   let schema;
   try {
@@ -80952,7 +80952,7 @@ async function fetchCheckpoint(config) {
 }
 // package.json
-var version = "0.1.11-beta.62";
+var version = "0.1.11-beta.66";
 var package_default = {
   name: "@clef-sh/cli",
   version,
@@ -81505,17 +81505,13 @@ Usage: clef export payments/production --format env`
 }
 // src/commands/doctor.ts
-var YAML14 = __toESM(require_dist());
 init_src();
 import * as fs21 from "fs";
 import * as path34 from "path";
 function registerDoctorCommand(program3, deps2) {
   program3.command("doctor").description(
     "Check your environment for required dependencies and configuration.\n\nExit codes:\n  0  All checks pass\n  1  One or more checks failed"
-  ).option("--json", "Output the full status as JSON").option(
-    "--fix",
-    "Attempt to auto-fix issues (runs clef init if .sops.yaml is the only failure)"
-  ).action(async (options) => {
+  ).option("--json", "Output the full status as JSON").option("--fix", "Attempt to auto-fix issues").action(async (options) => {
     const repoRoot = program3.opts().dir || process.cwd();
     const clefVersion = program3.version() ?? "unknown";
     const checks = [];
@@ -81566,14 +81562,6 @@ function registerDoctorCommand(program3, deps2) {
     });
     const ageKeyResult = await checkAgeKey(repoRoot, deps2.runner);
     checks.push(ageKeyResult);
-    const sopsYamlPath = path34.join(repoRoot, ".sops.yaml");
-    const sopsYamlFound = fs21.existsSync(sopsYamlPath);
-    checks.push({
-      name: ".sops.yaml",
-      ok: sopsYamlFound,
-      detail: sopsYamlFound ? "found" : "not found",
-      hint: sopsYamlFound ? void 0 : "run: clef init"
-    });
     const clefignorePath = path34.join(repoRoot, ".clefignore");
     const clefignoreFound = fs21.existsSync(clefignorePath);
     let clefignoreRuleCount = 0;
@@ -81606,25 +81594,7 @@ function registerDoctorCommand(program3, deps2) {
     });
     if (options.fix) {
       const failures2 = checks.filter((c) => !c.ok);
-      const onlySopsYamlMissing = failures2.length === 1 && failures2[0].name === ".sops.yaml" && !sopsYamlFound;
-      if (onlySopsYamlMissing) {
-        formatter.info("Attempting to fix: generating .sops.yaml from manifest...");
-        try {
-          scaffoldSopsConfig(repoRoot);
-          const nowFound = fs21.existsSync(sopsYamlPath);
-          if (nowFound) {
-            const sopsYamlCheck = checks.find((c) => c.name === ".sops.yaml");
-            if (sopsYamlCheck) {
-              sopsYamlCheck.ok = true;
-              sopsYamlCheck.detail = "found (fixed)";
-              delete sopsYamlCheck.hint;
-            }
-            formatter.success(".sops.yaml created from manifest.");
-          }
-        } catch {
-          formatter.error("Failed to generate .sops.yaml. Run 'clef init' manually to diagnose.");
-        }
-      } else if (failures2.length > 0) {
+      if (failures2.length > 0) {
         formatter.warn("--fix cannot resolve these issues automatically.");
       }
     }
@@ -81646,14 +81616,8 @@ function registerDoctorCommand(program3, deps2) {
         manifest: { found: manifestFound, ok: manifestFound },
         ageKey: {
           source: ageKeyResult.source,
-          recipients: countAgeRecipients(sopsYamlPath),
           ok: ageKeyResult.ok
         },
-        sopsYaml: {
-          found: checks.find((c) => c.name === ".sops.yaml").ok,
-          ok: checks.find((c) => c.name === ".sops.yaml").ok,
-          ...!checks.find((c) => c.name === ".sops.yaml").ok ? { fix: "clef init" } : {}
-        },
         scanner: {
           clefignoreFound: checks.find((c) => c.name === "scanner")?.ok ?? false,
           ok: checks.find((c) => c.name === "scanner")?.ok ?? false
@@ -81752,30 +81716,6 @@ async function checkAgeKey(repoRoot, runner2) {
       };
   }
 }
-function countAgeRecipients(sopsYamlPath) {
-  try {
-    if (!fs21.existsSync(sopsYamlPath)) return 0;
-    const content = fs21.readFileSync(sopsYamlPath, "utf-8");
-    const config = YAML14.parse(content);
-    if (!config?.creation_rules || !Array.isArray(config.creation_rules)) {
-      return 0;
-    }
-    const recipients = /* @__PURE__ */ new Set();
-    for (const rule of config.creation_rules) {
-      if (typeof rule.age === "string") {
-        for (const r of rule.age.split(",")) {
-          const trimmed = r.trim();
-          if (trimmed) {
-            recipients.add(trimmed);
-          }
-        }
-      }
-    }
-    return recipients.size;
-  } catch {
-    return 0;
-  }
-}
 function getSopsInstallHint() {
   if (process.platform === "darwin") return "brew install sops";
   return "see https://github.com/getsops/sops/releases";
@@ -83638,7 +83578,7 @@ function resolveTarget(opts2) {
 }
 function registerMigrateBackendCommand(program3, deps2) {
   program3.command("migrate-backend").description(
-    "Migrate encrypted files from one SOPS backend to another.\n\n  Decrypts each file with the current backend, re-encrypts with\n  the new one, updates clef.yaml, and regenerates .sops.yaml.\n\nExit codes:\n  0  migration completed successfully\n  1  migration failed (all changes rolled back)"
+    "Migrate encrypted files from one SOPS backend to another.\n\n  Decrypts each file with the current backend, re-encrypts with\n  the new one, and updates clef.yaml.\n\nExit codes:\n  0  migration completed successfully\n  1  migration failed (all changes rolled back)"
   ).option("--aws-kms-arn <arn>", "Migrate to AWS KMS with this key ARN").option("--gcp-kms-resource-id <id>", "Migrate to GCP KMS with this resource ID").option("--azure-kv-url <url>", "Migrate to Azure Key Vault with this URL").option("--pgp-fingerprint <fp>", "Migrate to PGP with this fingerprint").option("--age", "Migrate to age backend").option("-e, --environment <env>", "Scope migration to a single environment").option("--dry-run", "Preview changes without modifying any files").option("--skip-verify", "Skip post-migration verification step").action(async (opts2) => {
     try {
       const repoRoot = program3.opts().dir || process.cwd();
@@ -83686,7 +83626,6 @@ ${sym("working")}  Backend migration summary:`);
           dryRun: opts2.dryRun,
           skipVerify: opts2.skipVerify
         },
-        { regenerateSopsConfig: () => scaffoldSopsConfig(repoRoot) },
         (event) => {
           switch (event.type) {
             case "skip":
@@ -83735,7 +83674,7 @@ ${sym("working")}  Backend migration summary:`);
       }
       if (!opts2.dryRun && result.migratedFiles.length > 0) {
         formatter.hint(
-          'git add clef.yaml .sops.yaml secrets/ && git commit -m "chore: migrate backend to ' + target.backend + '"'
+          'git add clef.yaml secrets/ && git commit -m "chore: migrate backend to ' + target.backend + '"'
         );
       }
     } catch (err) {