npm - @clef-sh/cli - Versions diffs - 0.1.12 → 0.1.13-beta.92 - Mend

@clef-sh/cli 0.1.12 → 0.1.13-beta.92

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.mjs CHANGED Viewed

@@ -22358,7 +22358,12 @@ var VALID_KMS_PROVIDERS;
 var init_types2 = __esm({
   "../core/src/kms/types.ts"() {
     "use strict";
-    VALID_KMS_PROVIDERS = ["aws", "gcp", "azure"];
+    VALID_KMS_PROVIDERS = [
+      "aws",
+      "gcp",
+      "azure",
+      "cloud"
+    ];
   }
 });
@@ -95224,10 +95229,177 @@ var require_azure = __commonJS({
   }
 });
-// ../runtime/dist/kms/index.js
+// ../client/dist/kms.js
 var require_kms = __commonJS({
+  "../client/dist/kms.js"(exports, module) {
+    "use strict";
+    var __defProp2 = Object.defineProperty;
+    var __getOwnPropDesc2 = Object.getOwnPropertyDescriptor;
+    var __getOwnPropNames2 = Object.getOwnPropertyNames;
+    var __hasOwnProp2 = Object.prototype.hasOwnProperty;
+    var __export2 = (target, all) => {
+      for (var name in all)
+        __defProp2(target, name, { get: all[name], enumerable: true });
+    };
+    var __copyProps2 = (to, from, except, desc) => {
+      if (from && typeof from === "object" || typeof from === "function") {
+        for (let key of __getOwnPropNames2(from))
+          if (!__hasOwnProp2.call(to, key) && key !== except)
+            __defProp2(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc2(from, key)) || desc.enumerable });
+      }
+      return to;
+    };
+    var __toCommonJS = (mod3) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod3);
+    var kms_exports = {};
+    __export2(kms_exports, {
+      ClefClientError: () => ClefClientError,
+      CloudKmsProvider: () => CloudKmsProvider
+    });
+    module.exports = __toCommonJS(kms_exports);
+    var ClefClientError = class extends Error {
+      constructor(message, statusCode, fix) {
+        super(message);
+        this.statusCode = statusCode;
+        this.fix = fix;
+        this.name = "ClefClientError";
+      }
+      statusCode;
+      fix;
+    };
+    function resolveToken(explicit) {
+      if (explicit) return explicit;
+      if (typeof process !== "undefined" && process.env?.CLEF_SERVICE_TOKEN) {
+        return process.env.CLEF_SERVICE_TOKEN;
+      }
+      throw new ClefClientError(
+        "No service token configured",
+        void 0,
+        "Set CLEF_SERVICE_TOKEN or pass token in options."
+      );
+    }
+    async function request(baseUrl, opts2) {
+      const url = `${baseUrl}${opts2.path}`;
+      const headers = {
+        Authorization: `Bearer ${opts2.token}`,
+        Accept: "application/json"
+      };
+      if (opts2.body !== void 0) {
+        headers["Content-Type"] = "application/json";
+      }
+      const init = {
+        method: opts2.method,
+        headers,
+        body: opts2.body !== void 0 ? JSON.stringify(opts2.body) : void 0
+      };
+      let response;
+      try {
+        response = await opts2.fetchFn(url, init);
+      } catch (err) {
+        try {
+          response = await opts2.fetchFn(url, init);
+        } catch {
+          throw new ClefClientError(
+            `Connection failed: ${err.message}`,
+            void 0,
+            "Is the endpoint reachable? Check your CLEF_ENDPOINT setting."
+          );
+        }
+      }
+      if (response.status >= 500) {
+        response = await opts2.fetchFn(url, init);
+      }
+      if (response.status === 401) {
+        throw new ClefClientError("Authentication failed", 401, "Check your CLEF_SERVICE_TOKEN.");
+      }
+      if (response.status === 503) {
+        throw new ClefClientError("Secrets expired or not loaded", 503, "Check the agent logs.");
+      }
+      if (!response.ok) {
+        const text = await response.text().catch(() => "");
+        throw new ClefClientError(
+          `HTTP ${response.status}: ${text || response.statusText}`,
+          response.status
+        );
+      }
+      const json = await response.json();
+      if (json && typeof json === "object" && "success" in json) {
+        if (!json.success) {
+          throw new ClefClientError(json.message || "Request failed", response.status);
+        }
+        return json.data;
+      }
+      return json;
+    }
+    var CloudKmsProvider = class {
+      endpoint;
+      token;
+      constructor(options) {
+        this.endpoint = options.endpoint;
+        this.token = resolveToken(options.token);
+      }
+      async wrap(_keyId, _plaintext) {
+        throw new ClefClientError(
+          "CloudKmsProvider.wrap() is not supported. Use the keyservice sidecar for encryption."
+        );
+      }
+      async unwrap(keyId, wrappedKey, _algorithm) {
+        const result = await request(this.endpoint, {
+          method: "POST",
+          path: "/api/v1/cloud/kms/decrypt",
+          body: {
+            keyArn: keyId,
+            ciphertext: wrappedKey.toString("base64")
+          },
+          token: this.token,
+          fetchFn: globalThis.fetch
+        });
+        return Buffer.from(result.plaintext, "base64");
+      }
+    };
+  }
+});
+// ../runtime/dist/kms/index.js
+var require_kms2 = __commonJS({
   "../runtime/dist/kms/index.js"(exports) {
     "use strict";
+    var __createBinding = exports && exports.__createBinding || (Object.create ? (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      var desc = Object.getOwnPropertyDescriptor(m, k);
+      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+        desc = { enumerable: true, get: function() {
+          return m[k];
+        } };
+      }
+      Object.defineProperty(o, k2, desc);
+    }) : (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      o[k2] = m[k];
+    }));
+    var __setModuleDefault = exports && exports.__setModuleDefault || (Object.create ? (function(o, v) {
+      Object.defineProperty(o, "default", { enumerable: true, value: v });
+    }) : function(o, v) {
+      o["default"] = v;
+    });
+    var __importStar = exports && exports.__importStar || /* @__PURE__ */ (function() {
+      var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function(o2) {
+          var ar = [];
+          for (var k in o2) if (Object.prototype.hasOwnProperty.call(o2, k)) ar[ar.length] = k;
+          return ar;
+        };
+        return ownKeys(o);
+      };
+      return function(mod3) {
+        if (mod3 && mod3.__esModule) return mod3;
+        var result = {};
+        if (mod3 != null) {
+          for (var k = ownKeys(mod3), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod3, k[i]);
+        }
+        __setModuleDefault(result, mod3);
+        return result;
+      };
+    })();
     Object.defineProperty(exports, "__esModule", { value: true });
     exports.AzureKmsProvider = exports.GcpKmsProvider = exports.AwsKmsProvider = void 0;
     exports.createKmsProvider = createKmsProvider;
@@ -95246,7 +95418,7 @@ var require_kms = __commonJS({
     Object.defineProperty(exports, "AzureKmsProvider", { enumerable: true, get: function() {
       return azure_2.AzureKmsProvider;
     } });
-    function createKmsProvider(provider, options) {
+    async function createKmsProvider(provider, options) {
       switch (provider) {
         case "aws":
           return new aws_1.AwsKmsProvider(options?.region);
@@ -95254,6 +95426,17 @@ var require_kms = __commonJS({
           return new gcp_1.GcpKmsProvider();
         case "azure":
           return new azure_1.AzureKmsProvider();
+        case "cloud": {
+          try {
+            const { CloudKmsProvider } = await Promise.resolve().then(() => __importStar(require_kms()));
+            return new CloudKmsProvider({
+              endpoint: options?.endpoint ?? "",
+              token: options?.token
+            });
+          } catch {
+            throw new Error("Clef Cloud KMS requires @clef-sh/client. Install it with: npm install @clef-sh/client");
+          }
+        }
         default:
           throw new Error(`Unknown KMS provider: ${provider}`);
       }
@@ -95306,7 +95489,7 @@ var require_artifact_decryptor = __commonJS({
     exports.ArtifactDecryptor = void 0;
     var crypto6 = __importStar(__require("crypto"));
     var decrypt_1 = require_decrypt();
-    var kms_1 = require_kms();
+    var kms_1 = require_kms2();
     var ArtifactDecryptor = class {
       ageDecryptor = new decrypt_1.AgeDecryptor();
       privateKey;
@@ -95355,7 +95538,7 @@ var require_artifact_decryptor = __commonJS({
         const envelope = artifact.envelope;
         let dek;
         try {
-          const kms = (0, kms_1.createKmsProvider)(envelope.provider);
+          const kms = await (0, kms_1.createKmsProvider)(envelope.provider);
           const wrappedKey = Buffer.from(envelope.wrappedKey, "base64");
           dek = await kms.unwrap(envelope.keyId, wrappedKey, envelope.algorithm);
         } catch (err) {
@@ -96623,11 +96806,11 @@ var require_dist3 = __commonJS({
     Object.defineProperty(exports, "createVcsProvider", { enumerable: true, get: function() {
       return index_1.createVcsProvider;
     } });
-    var kms_1 = require_kms();
+    var kms_1 = require_kms2();
     Object.defineProperty(exports, "AwsKmsProvider", { enumerable: true, get: function() {
       return kms_1.AwsKmsProvider;
     } });
-    var kms_2 = require_kms();
+    var kms_2 = require_kms2();
     Object.defineProperty(exports, "createKmsProvider", { enumerable: true, get: function() {
       return kms_2.createKmsProvider;
     } });
@@ -97715,11 +97898,23 @@ function sym(key) {
 }
 // src/output/formatter.ts
+var _jsonMode = false;
+var _yesMode = false;
+function setJsonMode(json) {
+  _jsonMode = json;
+}
+function isJsonMode() {
+  return _jsonMode;
+}
+function setYesMode(yes) {
+  _yesMode = yes;
+}
 function color(fn, str2) {
   return isPlainMode() ? str2 : fn(str2);
 }
 var formatter = {
   success(message) {
+    if (_jsonMode) return;
     const icon = sym("success");
     process.stdout.write(color(import_picocolors.default.green, `${icon}  ${message}`) + "\n");
   },
@@ -97736,15 +97931,18 @@ var formatter = {
     process.stderr.write(color(import_picocolors.default.yellow, `${icon}  ${message}`) + "\n");
   },
   info(message) {
+    if (_jsonMode) return;
     const icon = sym("info");
     process.stdout.write(color(import_picocolors.default.blue, `${icon}  ${message}`) + "\n");
   },
   hint(message) {
+    if (_jsonMode) return;
     const icon = sym("arrow");
     process.stdout.write(`${icon}  ${message}
 `);
   },
   keyValue(key, value) {
+    if (_jsonMode) return;
     const icon = sym("key");
     const arrow = sym("arrow");
     const prefix2 = icon ? `${icon}  ` : "";
@@ -97752,30 +97950,38 @@ var formatter = {
 `);
   },
   pendingItem(key, days) {
+    if (_jsonMode) return;
     const icon = sym("pending");
     const prefix2 = icon ? `${icon}  ` : "[pending]  ";
     process.stdout.write(`${prefix2}${key} \u2014 ${days} day${days !== 1 ? "s" : ""} pending
 `);
   },
   recipientItem(label2, keyPreview2) {
+    if (_jsonMode) return;
     const icon = sym("recipient");
     const prefix2 = icon ? `${icon}  ` : "";
     process.stdout.write(`${prefix2}${label2.padEnd(15)}${keyPreview2}
 `);
   },
   section(label2) {
+    if (_jsonMode) return;
     process.stdout.write(`
 ${label2}
 `);
   },
   print(message) {
+    if (_jsonMode) return;
     process.stdout.write(message + "\n");
   },
   raw(message) {
     process.stdout.write(message);
   },
+  json(data) {
+    process.stdout.write(JSON.stringify(data) + "\n");
+  },
   table(rows, columns) {
+    if (_jsonMode) return;
     const widths = columns.map((col, i) => {
       const maxDataWidth = rows.reduce(
         (max, row) => Math.max(max, stripAnsi(row[i] ?? "").length),
@@ -97792,6 +97998,10 @@ ${label2}
     }
   },
   async confirm(prompt) {
+    if (_yesMode) return true;
+    if (_jsonMode) {
+      throw new Error("--json requires --yes for destructive operations");
+    }
     const rl = readline.createInterface({
       input: process.stdin,
       output: process.stderr
@@ -97826,6 +98036,9 @@ ${label2}
 `);
   },
   async secretPrompt(prompt) {
+    if (_jsonMode) {
+      throw new Error("--json mode requires value on the command line (no interactive prompt)");
+    }
     return new Promise((resolve7, reject) => {
       process.stderr.write(color(import_picocolors.default.cyan, `${prompt}: `));
       if (process.stdin.isTTY) {
@@ -97868,7 +98081,14 @@ function pad(str2, width) {
 }
 // src/handle-error.ts
+function exitJsonError(message) {
+  formatter.json({ error: true, message });
+  process.exit(1);
+}
 function handleCommandError(err) {
+  if (isJsonMode()) {
+    exitJsonError(err.message);
+  }
   if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
     formatter.formatDependencyError(err);
   } else {
@@ -98368,7 +98588,7 @@ async function handleSecondDevOnboarding(repoRoot, clefConfigPath, deps2, option
       "OS keychain is not available on this system.\n  The private key will be written to the filesystem instead.\n  See https://docs.clef.sh/guide/key-storage for security implications."
     );
     let keyPath;
-    if (options.nonInteractive || !process.stdin.isTTY) {
+    if (options.nonInteractive || isJsonMode() || !process.stdin.isTTY) {
       keyPath = process.env.CLEF_AGE_KEY_FILE || defaultAgeKeyPath(label2);
       keyPath = path23.resolve(keyPath);
     } else {
@@ -98401,6 +98621,10 @@ async function handleSecondDevOnboarding(repoRoot, clefConfigPath, deps2, option
     formatter.success("Created .clef/.gitignore");
   }
   formatter.success(`Key label: ${label2}`);
+  if (isJsonMode()) {
+    formatter.json({ action: "onboarded", manifest: "clef.yaml", config: ".clef/config.yaml" });
+    return;
+  }
   formatter.section("Next steps:");
   formatter.hint("clef recipients request  \u2014 request access to encrypted secrets");
   formatter.hint("clef update  \u2014 scaffold new environments");
@@ -98411,7 +98635,7 @@ async function handleFullSetup(repoRoot, manifestPath, clefConfigPath, deps2, op
   let namespaces = options.namespaces ? options.namespaces.split(",").map((s) => s.trim()) : [];
   const backend = options.backend ?? "age";
   let secretsDir = options.secretsDir ?? "secrets";
-  if (!options.nonInteractive && process.stdin.isTTY) {
+  if (!options.nonInteractive && !isJsonMode() && process.stdin.isTTY) {
     const envAnswer = await promptWithDefault(
       "Environments (comma-separated)",
       environments.join(",")
@@ -98466,7 +98690,7 @@ async function handleFullSetup(repoRoot, manifestPath, clefConfigPath, deps2, op
       formatter.warn(
         "OS keychain is not available on this system.\n  The private key must be written to the filesystem instead.\n  See https://docs.clef.sh/guide/key-storage for security implications."
       );
-      if (!options.nonInteractive && process.stdin.isTTY) {
+      if (!options.nonInteractive && !isJsonMode() && process.stdin.isTTY) {
         const confirmed = await formatter.confirm("Write the private key to the filesystem?");
         if (!confirmed) {
           formatter.error(
@@ -98477,7 +98701,7 @@ async function handleFullSetup(repoRoot, manifestPath, clefConfigPath, deps2, op
         }
       }
       let keyPath;
-      if (options.nonInteractive || !process.stdin.isTTY) {
+      if (options.nonInteractive || isJsonMode() || !process.stdin.isTTY) {
         keyPath = defaultAgeKeyPath(label2);
         if (await isInsideAnyGitRepo(path23.resolve(keyPath))) {
           throw new Error(
@@ -98597,6 +98821,17 @@ async function handleFullSetup(repoRoot, manifestPath, clefConfigPath, deps2, op
     formatter.print("     clef config set analytics false  (permanent)\n");
   } catch {
   }
+  if (isJsonMode()) {
+    formatter.json({
+      action: "initialized",
+      manifest: "clef.yaml",
+      environments: manifest.environments.map((e) => e.name),
+      namespaces: manifest.namespaces.map((n) => n.name),
+      backend,
+      scaffolded: scaffoldedCount
+    });
+    return;
+  }
   formatter.section("Next steps:");
   formatter.hint("clef set <namespace>/<env> <KEY> <value>  \u2014 add a secret");
   formatter.hint("clef scan  \u2014 check for existing plaintext secrets");
@@ -98857,7 +99092,9 @@ function registerGetCommand(program3, deps2) {
           return;
         }
         const val = decrypted.values[key];
-        if (opts2.raw) {
+        if (isJsonMode()) {
+          formatter.json({ key, value: val, namespace, environment });
+        } else if (opts2.raw) {
           formatter.raw(val);
         } else {
           const copied = copyToClipboard(val);
@@ -98962,6 +99199,16 @@ function registerSetCommand(program3, deps2) {
                   pendingErrors.push(env.name);
                 }
               }
+              if (isJsonMode()) {
+                formatter.json({
+                  key,
+                  namespace: namespace2,
+                  environments: manifest.environments.map((e) => e.name),
+                  action: "created",
+                  pending: true
+                });
+                return;
+              }
               formatter.success(
                 `'${key}' set in ${namespace2} across all environments ${sym("locked")}`
               );
@@ -98985,6 +99232,16 @@ function registerSetCommand(program3, deps2) {
                 } catch {
                 }
               }
+              if (isJsonMode()) {
+                formatter.json({
+                  key,
+                  namespace: namespace2,
+                  environments: manifest.environments.map((e) => e.name),
+                  action: "created",
+                  pending: false
+                });
+                return;
+              }
               formatter.success(`'${key}' set in ${namespace2} across all environments`);
               formatter.hint(`git add ${namespace2}/  # stage all updated files`);
             }
@@ -99048,6 +99305,10 @@ function registerSetCommand(program3, deps2) {
               process.exit(1);
               return;
             }
+            if (isJsonMode()) {
+              formatter.json({ key, namespace, environment, action: "created", pending: true });
+              return;
+            }
             formatter.success(`${key} set in ${namespace}/${environment} ${sym("locked")}`);
             formatter.print(
               `   ${sym("pending")}  Marked as pending \u2014 replace with a real value before deploying`
@@ -99062,6 +99323,10 @@ function registerSetCommand(program3, deps2) {
   The value is saved. Run clef lint to check for stale pending markers.`
               );
             }
+            if (isJsonMode()) {
+              formatter.json({ key, namespace, environment, action: "created", pending: false });
+              return;
+            }
             formatter.success(`${key} set in ${namespace}/${environment}`);
             formatter.hint(
               `Commit: git add ${manifest.file_pattern.replace("{namespace}", namespace).replace("{environment}", environment)}`
@@ -99130,7 +99395,10 @@ function registerCompareCommand(program3, deps2) {
         compareBuf.copy(paddedCompare);
         const timingEqual = crypto5.timingSafeEqual(paddedStored, paddedCompare);
         const match = storedBuf.length === compareBuf.length && timingEqual;
-        if (match) {
+        if (isJsonMode()) {
+          formatter.json({ match, key, namespace, environment });
+          if (!match) process.exit(1);
+        } else if (match) {
           formatter.success(`${key} ${sym("arrow")} values match`);
         } else {
           formatter.failure(`${key} ${sym("arrow")} values do not match`);
@@ -99178,6 +99446,15 @@ Type the key name to confirm:`
           }
           const bulkOps = new BulkOps();
           await bulkOps.deleteAcrossEnvironments(namespace, key, manifest, sopsClient, repoRoot);
+          if (isJsonMode()) {
+            formatter.json({
+              key,
+              namespace,
+              environments: manifest.environments.map((e) => e.name),
+              action: "deleted"
+            });
+            return;
+          }
           formatter.success(`Deleted '${key}' from ${namespace} in all environments`);
         } else {
           const [namespace, environment] = parseTarget(target);
@@ -99216,6 +99493,10 @@ Type the key name to confirm:`
               `Key deleted but pending metadata could not be cleaned up. Run clef lint to verify.`
             );
           }
+          if (isJsonMode()) {
+            formatter.json({ key, namespace, environment, action: "deleted" });
+            return;
+          }
           formatter.success(`Deleted '${key}' from ${namespace}/${environment}`);
           formatter.hint(
             `Commit: git add ${manifest.file_pattern.replace("{namespace}", namespace).replace("{environment}", environment)}`
@@ -99234,10 +99515,11 @@ Type the key name to confirm:`
 var import_picocolors2 = __toESM(require_picocolors());
 init_src();
 import * as path33 from "path";
+var MASKED = "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022";
 function registerDiffCommand(program3, deps2) {
   program3.command("diff <namespace> <env-a> <env-b>").description(
     "Compare secrets between two environments for a namespace.\n\nExit codes:\n  0  No differences\n  1  Differences found"
-  ).option("--show-identical", "Include identical keys in the output").option("--show-values", "Show plaintext values instead of masking them").option("--json", "Output raw DiffResult JSON").action(
+  ).option("--show-identical", "Include identical keys in the output").option("--show-values", "Show plaintext values instead of masking them").action(
     async (namespace, envA, envB, options) => {
       try {
         const repoRoot = program3.opts().dir || process.cwd();
@@ -99264,19 +99546,20 @@ function registerDiffCommand(program3, deps2) {
               formatter.warn("Warning: printing plaintext values for protected environment.");
             }
           }
-          if (options.json) {
-            const jsonOutput = options.showValues ? result : {
+          if (isJsonMode()) {
+            const jsonData = options.showValues ? result : {
               ...result,
               rows: result.rows.map((r) => ({
                 ...r,
-                valueA: r.valueA !== null ? "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022" : null,
-                valueB: r.valueB !== null ? "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022" : null,
+                valueA: r.valueA !== null ? MASKED : null,
+                valueB: r.valueB !== null ? MASKED : null,
                 masked: true
               }))
             };
-            formatter.raw(JSON.stringify(jsonOutput, null, 2) + "\n");
+            formatter.json(jsonData);
             const hasDiffs2 = result.rows.some((r) => r.status !== "identical");
             process.exit(hasDiffs2 ? 1 : 0);
+            return;
           }
           formatDiffOutput(
             result,
@@ -99296,7 +99579,6 @@ function registerDiffCommand(program3, deps2) {
     }
   );
 }
-var MASKED = "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022";
 function formatDiffOutput(result, envA, envB, showIdentical, showValues) {
   const filteredRows = showIdentical ? result.rows : result.rows.filter((r) => r.status !== "identical");
   if (filteredRows.length === 0) {
@@ -99578,7 +99860,7 @@ async function fetchCheckpoint(config) {
 }
 // package.json
-var version2 = "0.1.12";
+var version2 = "0.1.13-beta.92";
 var package_default = {
   name: "@clef-sh/cli",
   version: version2,
@@ -99649,7 +99931,7 @@ var package_default = {
 function registerLintCommand(program3, deps2) {
   program3.command("lint").description(
     "Full repo health check \u2014 matrix completeness, schema validation, SOPS integrity.\n\nExit codes:\n  0  No errors (warnings are allowed)\n  1  Errors found"
-  ).option("--fix", "Auto-fix safe issues (scaffold missing files)").option("--json", "Output raw LintResult JSON").option("--push", "Push results as OTLP to CLEF_TELEMETRY_URL").action(async (options) => {
+  ).option("--fix", "Auto-fix safe issues (scaffold missing files)").option("--push", "Push results as OTLP to CLEF_TELEMETRY_URL").action(async (options) => {
     try {
       const repoRoot = program3.opts().dir || process.cwd();
       const parser = new ManifestParser();
@@ -99684,8 +99966,8 @@ function registerLintCommand(program3, deps2) {
           await pushOtlp(payload, config);
           formatter.success("Lint results pushed to telemetry endpoint.");
         }
-        if (options.json) {
-          formatter.raw(JSON.stringify(result, null, 2) + "\n");
+        if (isJsonMode()) {
+          formatter.json(result);
           const hasErrors2 = result.issues.some((i) => i.severity === "error");
           process.exit(hasErrors2 ? 1 : 0);
           return;
@@ -99794,6 +100076,10 @@ function registerRotateCommand(program3, deps2) {
         const relativeFile = manifest.file_pattern.replace("{namespace}", namespace).replace("{environment}", environment);
         formatter.print(`${sym("working")}  Rotating ${namespace}/${environment}...`);
         await sopsClient.reEncrypt(filePath, options.newKey);
+        if (isJsonMode()) {
+          formatter.json({ namespace, environment, file: relativeFile, action: "rotated" });
+          return;
+        }
         formatter.success(`Rotated. New values encrypted. ${sym("locked")}`);
         formatter.hint(
           `git add ${relativeFile} && git commit -m "rotate: ${namespace}/${environment}"`
@@ -99839,15 +100125,28 @@ function registerHooksCommand(program3, deps2) {
       }
       const git = new GitIntegration(deps2.runner);
       await git.installPreCommitHook(repoRoot);
+      let mergeDriverOk = false;
+      try {
+        await git.installMergeDriver(repoRoot);
+        mergeDriverOk = true;
+      } catch {
+      }
+      if (isJsonMode()) {
+        formatter.json({
+          preCommitHook: true,
+          mergeDriver: mergeDriverOk,
+          hookPath
+        });
+        return;
+      }
       formatter.success("Pre-commit hook installed");
       formatter.print(`   ${sym("pending")}  ${hookPath}`);
       formatter.hint(
         "Hook checks SOPS metadata on staged .enc files and runs: clef scan --staged"
       );
-      try {
-        await git.installMergeDriver(repoRoot);
+      if (mergeDriverOk) {
         formatter.success("SOPS merge driver configured");
-      } catch {
+      } else {
         formatter.warn("Could not configure SOPS merge driver. Run inside a git repository.");
       }
     } catch (err) {
@@ -100146,6 +100445,14 @@ Usage: clef export payments/production --format env`
       );
       try {
         const decrypted = await sopsClient.decrypt(filePath);
+        if (isJsonMode()) {
+          const pairs = Object.entries(decrypted.values).map(([k, v]) => ({
+            key: k,
+            value: v
+          }));
+          formatter.json({ pairs, namespace, environment });
+          return;
+        }
         const consumption = new ConsumptionClient();
         const output = consumption.formatExport(decrypted, "env", !options.export);
         if (options.raw) {
@@ -100186,7 +100493,7 @@ import * as path41 from "path";
 function registerDoctorCommand(program3, deps2) {
   program3.command("doctor").description(
     "Check your environment for required dependencies and configuration.\n\nExit codes:\n  0  All checks pass\n  1  One or more checks failed"
-  ).option("--json", "Output the full status as JSON").option("--fix", "Attempt to auto-fix issues").action(async (options) => {
+  ).option("--fix", "Attempt to auto-fix issues").action(async (options) => {
     const repoRoot = program3.opts().dir || process.cwd();
     const clefVersion = program3.version() ?? "unknown";
     const checks = [];
@@ -100273,7 +100580,7 @@ function registerDoctorCommand(program3, deps2) {
         formatter.warn("--fix cannot resolve these issues automatically.");
       }
     }
-    if (options.json) {
+    if (isJsonMode()) {
       const json = {
         clef: { version: clefVersion, ok: true },
         sops: {
@@ -100303,7 +100610,7 @@ function registerDoctorCommand(program3, deps2) {
           ok: mergeDriverOk
         }
       };
-      formatter.raw(JSON.stringify(json, null, 2) + "\n");
+      formatter.json(json);
       const hasFailures = checks.some((c) => !c.ok);
       process.exit(hasFailures ? 1 : 0);
       return;
@@ -100437,6 +100744,11 @@ function registerUpdateCommand(program3, deps2) {
           );
         }
       }
+      if (isJsonMode()) {
+        formatter.json({ scaffolded: scaffoldedCount, failed: failedCount });
+        process.exit(failedCount > 0 ? 1 : 0);
+        return;
+      }
       if (scaffoldedCount > 0) {
         formatter.success(`Scaffolded ${scaffoldedCount} encrypted file(s)`);
       }
@@ -100462,69 +100774,57 @@ function registerScanCommand(program3, deps2) {
     "--severity <level>",
     "Detection level: all (patterns+entropy) or high (patterns only)",
     "all"
-  ).option("--json", "Output machine-readable JSON").action(
-    async (paths, options) => {
-      const repoRoot = program3.opts().dir || process.cwd();
-      let manifest;
-      try {
-        const parser = new ManifestParser();
-        manifest = parser.parse(path43.join(repoRoot, "clef.yaml"));
-      } catch (err) {
-        if (err instanceof ManifestValidationError || err.message?.includes("clef.yaml")) {
-          formatter.error("No clef.yaml found. Run 'clef init' to set up this repository.");
-        } else {
-          formatter.error(err.message);
-        }
-        process.exit(2);
-        return;
-      }
-      if (options.severity && options.severity !== "all" && options.severity !== "high") {
-        formatter.error(`Invalid severity '${options.severity}'. Must be 'all' or 'high'.`);
-        process.exit(2);
-        return;
-      }
-      const severity = options.severity === "high" ? "high" : "all";
-      const scanRunner = new ScanRunner(deps2.runner);
-      if (!options.json) {
-        formatter.print(import_picocolors4.default.dim("Scanning repository for unencrypted secrets..."));
-      }
-      let result;
-      try {
-        result = await scanRunner.scan(repoRoot, manifest, {
-          stagedOnly: options.staged,
-          paths: paths.length > 0 ? paths : void 0,
-          severity
-        });
-      } catch (err) {
-        formatter.error(`Scan failed: ${err.message}`);
-        process.exit(2);
-        return;
-      }
-      if (options.json) {
-        const totalIssues = result.matches.length + result.unencryptedMatrixFiles.length;
-        formatter.raw(
-          JSON.stringify(
-            {
-              matches: result.matches,
-              unencryptedMatrixFiles: result.unencryptedMatrixFiles,
-              filesScanned: result.filesScanned,
-              filesSkipped: result.filesSkipped,
-              durationMs: result.durationMs,
-              summary: `${totalIssues} issue${totalIssues !== 1 ? "s" : ""} found`
-            },
-            null,
-            2
-          ) + "\n"
-        );
-        const hasIssues2 = result.matches.length > 0 || result.unencryptedMatrixFiles.length > 0;
-        process.exit(hasIssues2 ? 1 : 0);
-        return;
+  ).action(async (paths, options) => {
+    const repoRoot = program3.opts().dir || process.cwd();
+    let manifest;
+    try {
+      const parser = new ManifestParser();
+      manifest = parser.parse(path43.join(repoRoot, "clef.yaml"));
+    } catch (err) {
+      if (err instanceof ManifestValidationError || err.message?.includes("clef.yaml")) {
+        formatter.error("No clef.yaml found. Run 'clef init' to set up this repository.");
+      } else {
+        formatter.error(err.message);
       }
-      formatScanOutput(result);
-      const hasIssues = result.matches.length > 0 || result.unencryptedMatrixFiles.length > 0;
-      process.exit(hasIssues ? 1 : 0);
+      process.exit(2);
+      return;
     }
-  );
+    if (options.severity && options.severity !== "all" && options.severity !== "high") {
+      formatter.error(`Invalid severity '${options.severity}'. Must be 'all' or 'high'.`);
+      process.exit(2);
+      return;
+    }
+    const severity = options.severity === "high" ? "high" : "all";
+    const scanRunner = new ScanRunner(deps2.runner);
+    formatter.print(import_picocolors4.default.dim("Scanning repository for unencrypted secrets..."));
+    let result;
+    try {
+      result = await scanRunner.scan(repoRoot, manifest, {
+        stagedOnly: options.staged,
+        paths: paths.length > 0 ? paths : void 0,
+        severity
+      });
+    } catch (err) {
+      formatter.error(`Scan failed: ${err.message}`);
+      process.exit(2);
+      return;
+    }
+    if (isJsonMode()) {
+      formatter.json({
+        matches: result.matches,
+        unencryptedMatrixFiles: result.unencryptedMatrixFiles,
+        filesScanned: result.filesScanned,
+        filesSkipped: result.filesSkipped,
+        durationMs: result.durationMs
+      });
+      const hasIssues2 = result.matches.length > 0 || result.unencryptedMatrixFiles.length > 0;
+      process.exit(hasIssues2 ? 1 : 0);
+      return;
+    }
+    formatScanOutput(result);
+    const hasIssues = result.matches.length > 0 || result.unencryptedMatrixFiles.length > 0;
+    process.exit(hasIssues ? 1 : 0);
+  });
 }
 function formatScanOutput(result) {
   const totalIssues = result.matches.length + result.unencryptedMatrixFiles.length;
@@ -100689,6 +100989,17 @@ function registerImportCommand(program3, deps2) {
             process.exit(2);
             return;
           }
+          if (isJsonMode()) {
+            formatter.json({
+              imported: result.imported,
+              skipped: result.skipped,
+              failed: result.failed,
+              warnings: result.warnings,
+              dryRun: opts2.dryRun
+            });
+            process.exit(result.failed.length > 0 ? 1 : 0);
+            return;
+          }
           for (const warning of result.warnings) {
             formatter.print(`  ${sym("warning")}  ${warning}`);
           }
@@ -100748,6 +101059,7 @@ init_src();
 import * as path45 from "path";
 import * as readline4 from "readline";
 function waitForEnter(message) {
+  if (isJsonMode()) return Promise.resolve();
   return new Promise((resolve7) => {
     const rl = readline4.createInterface({
       input: process.stdin,
@@ -100781,6 +101093,10 @@ function registerRecipientsCommand(program3, deps2) {
       const sopsClient = await createSopsClient(repoRoot, deps2.runner);
       const recipientManager = new RecipientManager(sopsClient, matrixManager);
       const recipients = await recipientManager.list(manifest, repoRoot, opts2.environment);
+      if (isJsonMode()) {
+        formatter.json(recipients);
+        return;
+      }
       if (recipients.length === 0) {
         const scope2 = opts2.environment ? ` for environment '${opts2.environment}'` : "";
         formatter.info(`No recipients configured${scope2}.`);
@@ -100811,7 +101127,7 @@ function registerRecipientsCommand(program3, deps2) {
         return;
       }
       const normalizedKey = validation.key;
-      const success = await executeRecipientAdd(
+      const result = await executeRecipientAdd(
         repoRoot,
         program3,
         deps2,
@@ -100819,11 +101135,21 @@ function registerRecipientsCommand(program3, deps2) {
         opts2.label,
         opts2.environment
       );
-      if (success) {
-        const label2 = opts2.label || keyPreview(normalizedKey);
-        formatter.hint(
-          `git add clef.yaml && git add -A && git commit -m "add recipient: ${label2} [${opts2.environment}]"`
-        );
+      if (result) {
+        if (isJsonMode()) {
+          formatter.json({
+            action: "added",
+            key: normalizedKey,
+            label: opts2.label || keyPreview(normalizedKey),
+            environment: opts2.environment,
+            reEncryptedFiles: result.reEncryptedFiles.length
+          });
+        } else {
+          const label2 = opts2.label || keyPreview(normalizedKey);
+          formatter.hint(
+            `git add clef.yaml && git add -A && git commit -m "add recipient: ${label2} [${opts2.environment}]"`
+          );
+        }
       }
     } catch (err) {
       handleCommandError(err);
@@ -100919,6 +101245,16 @@ ${sym("failure")} Re-encryption failed on ${path45.basename(failedFile)}`
         const relative7 = path45.relative(repoRoot, file);
         formatter.print(`   ${sym("success")}  ${relative7}`);
       }
+      if (isJsonMode()) {
+        formatter.json({
+          action: "removed",
+          key: trimmedKey,
+          label: label2,
+          environment: opts2.environment ?? null,
+          reEncryptedFiles: result.reEncryptedFiles.length
+        });
+        return;
+      }
       formatter.success(
         `${label2} removed. ${result.reEncryptedFiles.length} files re-encrypted. ${sym("locked")}`
       );
@@ -100983,6 +101319,15 @@ ${sym("failure")} Re-encryption failed on ${path45.basename(failedFile)}`
         return;
       }
       upsertRequest(repoRoot, publicKey, label2, opts2.environment);
+      if (isJsonMode()) {
+        formatter.json({
+          action: "requested",
+          label: label2,
+          key: publicKey,
+          environment: opts2.environment ?? null
+        });
+        return;
+      }
       const scope = opts2.environment ? ` for environment '${opts2.environment}'` : "";
       formatter.success(`Access requested as '${label2}'${scope}`);
       formatter.print(`  Key: ${keyPreview(publicKey)}`);
@@ -100998,6 +101343,15 @@ ${sym("failure")} Re-encryption failed on ${path45.basename(failedFile)}`
     try {
       const repoRoot = program3.opts().dir || process.cwd();
       const requests = loadRequests(repoRoot);
+      if (isJsonMode()) {
+        formatter.json(
+          requests.map((r) => ({
+            ...r,
+            requestedAt: r.requestedAt.toISOString()
+          }))
+        );
+        return;
+      }
       if (requests.length === 0) {
         formatter.info("No pending access requests.");
         return;
@@ -101037,7 +101391,7 @@ ${sym("failure")} Re-encryption failed on ${path45.basename(failedFile)}`
         process.exit(2);
         return;
       }
-      const success = await executeRecipientAdd(
+      const result = await executeRecipientAdd(
         repoRoot,
         program3,
         deps2,
@@ -101045,11 +101399,21 @@ ${sym("failure")} Re-encryption failed on ${path45.basename(failedFile)}`
         request.label,
         environment
       );
-      if (success) {
+      if (result) {
         removeRequest(repoRoot, identifier);
-        formatter.hint(
-          `git add clef.yaml ${REQUESTS_FILENAME} && git add -A && git commit -m "approve recipient: ${request.label} [${environment}]"`
-        );
+        if (isJsonMode()) {
+          formatter.json({
+            action: "approved",
+            identifier,
+            label: request.label,
+            environment,
+            reEncryptedFiles: result.reEncryptedFiles.length
+          });
+        } else {
+          formatter.hint(
+            `git add clef.yaml ${REQUESTS_FILENAME} && git add -A && git commit -m "approve recipient: ${request.label} [${environment}]"`
+          );
+        }
       }
     } catch (err) {
       handleCommandError(err);
@@ -101065,7 +101429,7 @@ async function executeRecipientAdd(repoRoot, _program, deps2, key, label2, envir
       `Environment '${environment}' not found. Available: ${manifest.environments.map((e) => e.name).join(", ")}`
     );
     process.exit(2);
-    return false;
+    return null;
   }
   const matrixManager = new MatrixManager();
   const sopsClient = await createSopsClient(repoRoot, deps2.runner);
@@ -101074,7 +101438,7 @@ async function executeRecipientAdd(repoRoot, _program, deps2, key, label2, envir
   if (existing.some((r) => r.key === key)) {
     formatter.error(`Recipient '${keyPreview(key)}' is already present.`);
     process.exit(2);
-    return false;
+    return null;
   }
   const allCells = matrixManager.resolveMatrix(manifest, repoRoot).filter((c) => c.exists && c.environment === environment);
   const fileCount = allCells.length;
@@ -101091,7 +101455,7 @@ This will re-encrypt ${fileCount} files in the matrix.`);
   const confirmed = await formatter.confirm("Proceed?");
   if (!confirmed) {
     formatter.info("Aborted.");
-    return false;
+    return null;
   }
   formatter.print(`
 ${sym("working")}  Re-encrypting matrix...`);
@@ -101108,7 +101472,7 @@ ${sym("failure")} Re-encryption failed on ${path45.basename(failedFile)}`);
     );
     formatter.print("\nNo changes were applied. Investigate the error above and retry.");
     process.exit(1);
-    return false;
+    return null;
   }
   for (const file of result.reEncryptedFiles) {
     const relative7 = path45.relative(repoRoot, file);
@@ -101118,7 +101482,7 @@ ${sym("failure")} Re-encryption failed on ${path45.basename(failedFile)}`);
   formatter.success(
     `${displayLabel} added. ${result.reEncryptedFiles.length} files re-encrypted. ${sym("locked")}`
   );
-  return true;
+  return { reEncryptedFiles: result.reEncryptedFiles };
 }
 // src/commands/merge-driver.ts
@@ -101281,6 +101645,16 @@ function registerServiceCommand(program3, deps2) {
           repoRoot,
           kmsEnvConfigs
         );
+        if (isJsonMode()) {
+          formatter.json({
+            action: "created",
+            identity: result.identity.name,
+            namespaces: result.identity.namespaces,
+            environments: Object.keys(result.identity.environments),
+            privateKeys: result.privateKeys
+          });
+          return;
+        }
         formatter.success(`Service identity '${name}' created.`);
         formatter.print(`
   Namespaces: ${result.identity.namespaces.join(", ")}`);
@@ -101334,6 +101708,10 @@ function registerServiceCommand(program3, deps2) {
       const sopsClient = await createSopsClient(repoRoot, deps2.runner);
       const manager = new ServiceIdentityManager(sopsClient, matrixManager);
       const identities = manager.list(manifest);
+      if (isJsonMode()) {
+        formatter.json(identities);
+        return;
+      }
       if (identities.length === 0) {
         formatter.info("No service identities configured.");
         return;
@@ -101363,6 +101741,10 @@ function registerServiceCommand(program3, deps2) {
         process.exit(1);
         return;
       }
+      if (isJsonMode()) {
+        formatter.json(identity);
+        return;
+      }
       formatter.print(`
 Service Identity: ${identity.name}`);
       formatter.print(`Description: ${identity.description}`);
@@ -101391,6 +101773,11 @@ Service Identity: ${identity.name}`);
       const sopsClient = await createSopsClient(repoRoot, deps2.runner);
       const manager = new ServiceIdentityManager(sopsClient, matrixManager);
       const issues = await manager.validate(manifest, repoRoot);
+      if (isJsonMode()) {
+        formatter.json({ issues });
+        process.exit(issues.length > 0 ? 1 : 0);
+        return;
+      }
       if (issues.length === 0) {
         formatter.success("All service identities are valid.");
         return;
@@ -101441,6 +101828,17 @@ Service Identity: ${identity.name}`);
       const manager = new ServiceIdentityManager(sopsClient, matrixManager);
       formatter.print(`${sym("working")}  Updating service identity '${name}'...`);
       await manager.updateEnvironments(name, kmsEnvConfigs, manifest, repoRoot);
+      if (isJsonMode()) {
+        formatter.json({
+          action: "updated",
+          identity: name,
+          changed: Object.entries(kmsEnvConfigs).map(([env, cfg]) => ({
+            environment: env,
+            provider: cfg.provider
+          }))
+        });
+        return;
+      }
       formatter.success(`Service identity '${name}' updated.`);
       for (const [envName, kmsConfig] of Object.entries(kmsEnvConfigs)) {
         formatter.print(`  ${envName}: switched to KMS envelope (${kmsConfig.provider})`);
@@ -101476,6 +101874,10 @@ Service Identity: ${identity.name}`);
       const manager = new ServiceIdentityManager(sopsClient, matrixManager);
       formatter.print(`${sym("working")}  Deleting service identity '${name}'...`);
       await manager.delete(name, manifest, repoRoot);
+      if (isJsonMode()) {
+        formatter.json({ action: "deleted", identity: name });
+        return;
+      }
       formatter.success(`Service identity '${name}' deleted.`);
       formatter.hint(
         `git add clef.yaml && git commit -m "chore: delete service identity '${name}'"`
@@ -101512,6 +101914,15 @@ Service Identity: ${identity.name}`);
       }
       formatter.print(`${sym("working")}  Rotating key for '${name}'...`);
       const newKeys = await manager.rotateKey(name, manifest, repoRoot, opts2.environment);
+      if (isJsonMode()) {
+        formatter.json({
+          action: "rotated",
+          identity: name,
+          environments: Object.keys(newKeys),
+          privateKeys: newKeys
+        });
+        return;
+      }
       formatter.success(`Key rotated for '${name}'.`);
       const entries = Object.entries(newKeys);
       const block = entries.map(([env, key]) => `${env}: ${key}`).join("\n");
@@ -101652,7 +102063,7 @@ function registerPackCommand(program3, deps2) {
         const envConfig = si?.environments[environment];
         if (envConfig && isKmsEnvelope(envConfig)) {
           const { createKmsProvider } = await Promise.resolve().then(() => __toESM(require_dist3()));
-          kmsProvider = createKmsProvider(envConfig.kms.provider, {
+          kmsProvider = await createKmsProvider(envConfig.kms.provider, {
             region: envConfig.kms.region
           });
         }
@@ -101687,6 +102098,18 @@ function registerPackCommand(program3, deps2) {
           const fileOut = new FilePackOutput(outputPath);
           await fileOut.write(memOutput.artifact, memOutput.json);
         }
+        if (isJsonMode()) {
+          formatter.json({
+            identity,
+            environment,
+            keyCount: result.keyCount,
+            namespaceCount: result.namespaceCount,
+            artifactSize: result.artifactSize,
+            revision: result.revision,
+            output: outputPath ?? null
+          });
+          return;
+        }
         formatter.success(
           `Artifact packed: ${result.keyCount} keys from ${result.namespaceCount} namespace(s).`
         );
@@ -101764,6 +102187,15 @@ function registerRevokeCommand(program3, _deps) {
       fs32.mkdirSync(artifactDir, { recursive: true });
       fs32.writeFileSync(artifactPath, JSON.stringify(revoked, null, 2) + "\n", "utf-8");
       const relPath = path49.relative(repoRoot, artifactPath);
+      if (isJsonMode()) {
+        formatter.json({
+          identity,
+          environment,
+          revokedAt: revoked.revokedAt,
+          markerPath: relPath
+        });
+        return;
+      }
       formatter.success(`Artifact revoked: ${relPath}`);
       formatter.print("");
       formatter.print(`${sym("arrow")}  If your agent fetches artifacts from git (VCS source):`);
@@ -101792,37 +102224,35 @@ import * as path50 from "path";
 function registerDriftCommand(program3, _deps) {
   program3.command("drift <path>").description(
     "Compare key sets across two local Clef repos without decryption.\n\nReads encrypted YAML files as plaintext (key names are not encrypted)\nand reports keys that exist in some environments but not others.\n\nDoes not require sops to be installed.\n\nExit codes:\n  0  No drift\n  1  Drift found"
-  ).option("--json", "Output raw DriftResult JSON for CI parsing").option("--push", "Push results as OTLP to CLEF_TELEMETRY_URL").option("--namespace <name...>", "Scope to specific namespace(s)").action(
-    async (remotePath, options) => {
-      try {
-        const localRoot = program3.opts().dir || process.cwd();
-        const remoteRoot = path50.resolve(localRoot, remotePath);
-        const detector = new DriftDetector();
-        const result = detector.detect(localRoot, remoteRoot, options.namespace);
-        if (options.push) {
-          const config = resolveTelemetryConfig();
-          if (!config) {
-            formatter.error("--push requires CLEF_TELEMETRY_URL to be set.");
-            process.exit(1);
-            return;
-          }
-          const payload = driftResultToOtlp(result, version2);
-          await pushOtlp(payload, config);
-          formatter.success("Drift results pushed to telemetry endpoint.");
-        }
-        if (options.json) {
-          formatter.raw(JSON.stringify(result, null, 2) + "\n");
-          process.exit(result.issues.length > 0 ? 1 : 0);
+  ).option("--push", "Push results as OTLP to CLEF_TELEMETRY_URL").option("--namespace <name...>", "Scope to specific namespace(s)").action(async (remotePath, options) => {
+    try {
+      const localRoot = program3.opts().dir || process.cwd();
+      const remoteRoot = path50.resolve(localRoot, remotePath);
+      const detector = new DriftDetector();
+      const result = detector.detect(localRoot, remoteRoot, options.namespace);
+      if (options.push) {
+        const config = resolveTelemetryConfig();
+        if (!config) {
+          formatter.error("--push requires CLEF_TELEMETRY_URL to be set.");
+          process.exit(1);
           return;
         }
-        formatDriftOutput(result);
+        const payload = driftResultToOtlp(result, version2);
+        await pushOtlp(payload, config);
+        formatter.success("Drift results pushed to telemetry endpoint.");
+      }
+      if (isJsonMode()) {
+        formatter.json(result);
         process.exit(result.issues.length > 0 ? 1 : 0);
-      } catch (err) {
-        formatter.error(err.message);
-        process.exit(1);
+        return;
       }
+      formatDriftOutput(result);
+      process.exit(result.issues.length > 0 ? 1 : 0);
+    } catch (err) {
+      formatter.error(err.message);
+      process.exit(1);
     }
-  );
+  });
 }
 function formatDriftOutput(result) {
   if (result.namespacesCompared === 0) {
@@ -101915,7 +102345,7 @@ async function getHeadSha(repoRoot, runner2) {
 function registerReportCommand(program3, deps2) {
   program3.command("report").description(
     "Generate a metadata report for this Clef repository.\n\nIncludes repo identity, matrix status, policy issues, and recipient\nsummaries. Never exposes ciphertext, key names, or decrypted values.\n\nExit codes:\n  0  No errors\n  1  Errors found"
-  ).option("--json", "Output full report as JSON").option("--push", "Push report as OTLP to CLEF_TELEMETRY_URL (with automatic gap-fill)").option("--at <sha>", "Generate report at a specific commit").option("--since <sha>", "Generate reports for all commits since <sha>").option("--namespace <name...>", "Filter to namespace(s)").option("--environment <name...>", "Filter to environment(s)").action(
+  ).option("--push", "Push report as OTLP to CLEF_TELEMETRY_URL (with automatic gap-fill)").option("--at <sha>", "Generate report at a specific commit").option("--since <sha>", "Generate reports for all commits since <sha>").option("--namespace <name...>", "Filter to namespace(s)").option("--environment <name...>", "Filter to environment(s)").action(
     async (options) => {
       try {
         const repoRoot = program3.opts().dir || process.cwd();
@@ -101927,7 +102357,7 @@ function registerReportCommand(program3, deps2) {
             deps2.runner
           );
           await maybePush(report, options.push);
-          outputReport(report, options);
+          outputReport(report);
           return;
         }
         const sopsClient = await createSopsClient(repoRoot, deps2.runner);
@@ -101945,7 +102375,7 @@ function registerReportCommand(program3, deps2) {
         });
         if (options.push) {
           await pushWithGapFill(repoRoot, headReport, deps2.runner);
-          outputReport(headReport, options);
+          outputReport(headReport);
           return;
         }
         if (options.since) {
@@ -101959,8 +102389,8 @@ function registerReportCommand(program3, deps2) {
               reports.push(await generateReportAtCommit(repoRoot, sha, version2, deps2.runner));
             }
           }
-          if (options.json) {
-            formatter.raw(JSON.stringify(reports, null, 2) + "\n");
+          if (isJsonMode()) {
+            formatter.json(reports);
           } else {
             formatter.print(
               `Generated ${reports.length} report(s) for commits since ${options.since.slice(0, 8)}`
@@ -101975,7 +102405,7 @@ function registerReportCommand(program3, deps2) {
           process.exit(reports.some((r) => r.policy.issueCount.error > 0) ? 1 : 0);
           return;
         }
-        outputReport(headReport, options);
+        outputReport(headReport);
       } catch (err) {
         handleCommandError(err);
       }
@@ -102026,9 +102456,9 @@ async function maybePush(report, push) {
   await pushOtlp(payload, config);
   formatter.success("Report pushed to telemetry endpoint.");
 }
-function outputReport(report, opts2) {
-  if (opts2.json) {
-    formatter.raw(JSON.stringify(report, null, 2) + "\n");
+function outputReport(report) {
+  if (isJsonMode()) {
+    formatter.json(report);
     process.exit(report.policy.issueCount.error > 0 ? 1 : 0);
     return;
   }
@@ -102197,6 +102627,16 @@ function registerInstallCommand(program3, _deps) {
       }
       const manifestFile = files.find((f2) => f2.name === "broker.yaml");
       const manifest = manifestFile ? (0, import_yaml.parse)(manifestFile.content) : {};
+      if (isJsonMode()) {
+        formatter.json({
+          broker: entry.name,
+          provider: entry.provider,
+          tier: entry.tier,
+          files: files.map((f2) => `brokers/${entry.name}/${f2.name}`)
+        });
+        process.exit(0);
+        return;
+      }
       formatter.print("");
       formatter.print(`  ${sym("success")} ${entry.name}`);
       formatter.print("");
@@ -102260,6 +102700,11 @@ function registerSearchCommand(program3, _deps) {
         if (options.tier) {
           results = results.filter((b) => b.tier === Number(options.tier));
         }
+        if (isJsonMode()) {
+          formatter.json(results);
+          process.exit(0);
+          return;
+        }
         if (results.length === 0) {
           formatter.info("No brokers found matching your query.");
           process.exit(0);
@@ -102390,6 +102835,20 @@ ${sym("working")}  Backend migration summary:`);
             }
           }
         );
+        if (isJsonMode()) {
+          formatter.json({
+            backend: target.backend,
+            migratedFiles: result.migratedFiles,
+            skippedFiles: result.skippedFiles,
+            verifiedFiles: result.verifiedFiles,
+            warnings: result.warnings,
+            rolledBack: result.rolledBack,
+            error: result.error ?? null,
+            dryRun: opts2.dryRun ?? false
+          });
+          process.exit(result.rolledBack ? 1 : 0);
+          return;
+        }
         if (result.rolledBack) {
           formatter.error(`Migration failed: ${result.error}`);
           formatter.info("All changes have been rolled back.");
@@ -102478,7 +102937,7 @@ function registerServeCommand(program3, deps2) {
       const envConfig = si.environments[opts2.env];
       if (envConfig && isKmsEnvelope(envConfig)) {
         const { createKmsProvider } = await Promise.resolve().then(() => __toESM(require_dist3()));
-        kmsProvider = createKmsProvider(envConfig.kms.provider, {
+        kmsProvider = await createKmsProvider(envConfig.kms.provider, {
           region: envConfig.kms.region
         });
       }
@@ -102540,12 +102999,18 @@ var VERSION = package_default.version;
 var program2 = new Command();
 var runner = new NodeSubprocessRunner();
 var deps = { runner };
-program2.name("clef").option("--dir <path>", "Path to a local Clef repository root (default: current directory)").option("--plain", "Plain output, no emoji or colour");
+program2.name("clef").option("--dir <path>", "Path to a local Clef repository root (default: current directory)").option("--plain", "Plain output, no emoji or colour").option("--json", "Output machine-readable JSON (suppresses human output)").option("--yes", "Auto-confirm destructive operations (required with --json for writes)");
 program2.hook("preAction", async () => {
   const opts2 = program2.opts();
   if (opts2.plain) {
     setPlainMode(true);
   }
+  if (opts2.json) {
+    setJsonMode(true);
+  }
+  if (opts2.yes) {
+    setYesMode(true);
+  }
 });
 program2.addHelpText("beforeAll", () => {
   const clef = isPlainMode() ? "clef" : symbols.clef;
@@ -102644,6 +103109,9 @@ async function main() {
   }
 }
 main().catch((err) => {
+  if (isJsonMode()) {
+    exitJsonError(err.message);
+  }
   formatter.error(err.message);
   process.exit(1);
 });