@clef-sh/cli 0.1.13-beta.88 → 0.1.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +193 -10
- package/dist/index.cjs.map +4 -4
- package/dist/index.mjs +193 -10
- package/dist/index.mjs.map +4 -4
- package/package.json +1 -1
package/dist/index.cjs
CHANGED
|
@@ -21959,7 +21959,12 @@ var VALID_KMS_PROVIDERS;
|
|
|
21959
21959
|
var init_types2 = __esm({
|
|
21960
21960
|
"../core/src/kms/types.ts"() {
|
|
21961
21961
|
"use strict";
|
|
21962
|
-
VALID_KMS_PROVIDERS = [
|
|
21962
|
+
VALID_KMS_PROVIDERS = [
|
|
21963
|
+
"aws",
|
|
21964
|
+
"gcp",
|
|
21965
|
+
"azure",
|
|
21966
|
+
"cloud"
|
|
21967
|
+
];
|
|
21963
21968
|
}
|
|
21964
21969
|
});
|
|
21965
21970
|
|
|
@@ -94826,10 +94831,177 @@ var require_azure = __commonJS({
|
|
|
94826
94831
|
}
|
|
94827
94832
|
});
|
|
94828
94833
|
|
|
94829
|
-
// ../
|
|
94834
|
+
// ../client/dist/kms.js
|
|
94830
94835
|
var require_kms = __commonJS({
|
|
94836
|
+
"../client/dist/kms.js"(exports2, module2) {
|
|
94837
|
+
"use strict";
|
|
94838
|
+
var __defProp2 = Object.defineProperty;
|
|
94839
|
+
var __getOwnPropDesc2 = Object.getOwnPropertyDescriptor;
|
|
94840
|
+
var __getOwnPropNames2 = Object.getOwnPropertyNames;
|
|
94841
|
+
var __hasOwnProp2 = Object.prototype.hasOwnProperty;
|
|
94842
|
+
var __export2 = (target, all) => {
|
|
94843
|
+
for (var name in all)
|
|
94844
|
+
__defProp2(target, name, { get: all[name], enumerable: true });
|
|
94845
|
+
};
|
|
94846
|
+
var __copyProps2 = (to, from, except, desc) => {
|
|
94847
|
+
if (from && typeof from === "object" || typeof from === "function") {
|
|
94848
|
+
for (let key of __getOwnPropNames2(from))
|
|
94849
|
+
if (!__hasOwnProp2.call(to, key) && key !== except)
|
|
94850
|
+
__defProp2(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc2(from, key)) || desc.enumerable });
|
|
94851
|
+
}
|
|
94852
|
+
return to;
|
|
94853
|
+
};
|
|
94854
|
+
var __toCommonJS = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
|
|
94855
|
+
var kms_exports = {};
|
|
94856
|
+
__export2(kms_exports, {
|
|
94857
|
+
ClefClientError: () => ClefClientError,
|
|
94858
|
+
CloudKmsProvider: () => CloudKmsProvider
|
|
94859
|
+
});
|
|
94860
|
+
module2.exports = __toCommonJS(kms_exports);
|
|
94861
|
+
var ClefClientError = class extends Error {
|
|
94862
|
+
constructor(message, statusCode, fix) {
|
|
94863
|
+
super(message);
|
|
94864
|
+
this.statusCode = statusCode;
|
|
94865
|
+
this.fix = fix;
|
|
94866
|
+
this.name = "ClefClientError";
|
|
94867
|
+
}
|
|
94868
|
+
statusCode;
|
|
94869
|
+
fix;
|
|
94870
|
+
};
|
|
94871
|
+
function resolveToken(explicit) {
|
|
94872
|
+
if (explicit) return explicit;
|
|
94873
|
+
if (typeof process !== "undefined" && process.env?.CLEF_SERVICE_TOKEN) {
|
|
94874
|
+
return process.env.CLEF_SERVICE_TOKEN;
|
|
94875
|
+
}
|
|
94876
|
+
throw new ClefClientError(
|
|
94877
|
+
"No service token configured",
|
|
94878
|
+
void 0,
|
|
94879
|
+
"Set CLEF_SERVICE_TOKEN or pass token in options."
|
|
94880
|
+
);
|
|
94881
|
+
}
|
|
94882
|
+
async function request(baseUrl, opts) {
|
|
94883
|
+
const url = `${baseUrl}${opts.path}`;
|
|
94884
|
+
const headers = {
|
|
94885
|
+
Authorization: `Bearer ${opts.token}`,
|
|
94886
|
+
Accept: "application/json"
|
|
94887
|
+
};
|
|
94888
|
+
if (opts.body !== void 0) {
|
|
94889
|
+
headers["Content-Type"] = "application/json";
|
|
94890
|
+
}
|
|
94891
|
+
const init = {
|
|
94892
|
+
method: opts.method,
|
|
94893
|
+
headers,
|
|
94894
|
+
body: opts.body !== void 0 ? JSON.stringify(opts.body) : void 0
|
|
94895
|
+
};
|
|
94896
|
+
let response;
|
|
94897
|
+
try {
|
|
94898
|
+
response = await opts.fetchFn(url, init);
|
|
94899
|
+
} catch (err) {
|
|
94900
|
+
try {
|
|
94901
|
+
response = await opts.fetchFn(url, init);
|
|
94902
|
+
} catch {
|
|
94903
|
+
throw new ClefClientError(
|
|
94904
|
+
`Connection failed: ${err.message}`,
|
|
94905
|
+
void 0,
|
|
94906
|
+
"Is the endpoint reachable? Check your CLEF_ENDPOINT setting."
|
|
94907
|
+
);
|
|
94908
|
+
}
|
|
94909
|
+
}
|
|
94910
|
+
if (response.status >= 500) {
|
|
94911
|
+
response = await opts.fetchFn(url, init);
|
|
94912
|
+
}
|
|
94913
|
+
if (response.status === 401) {
|
|
94914
|
+
throw new ClefClientError("Authentication failed", 401, "Check your CLEF_SERVICE_TOKEN.");
|
|
94915
|
+
}
|
|
94916
|
+
if (response.status === 503) {
|
|
94917
|
+
throw new ClefClientError("Secrets expired or not loaded", 503, "Check the agent logs.");
|
|
94918
|
+
}
|
|
94919
|
+
if (!response.ok) {
|
|
94920
|
+
const text = await response.text().catch(() => "");
|
|
94921
|
+
throw new ClefClientError(
|
|
94922
|
+
`HTTP ${response.status}: ${text || response.statusText}`,
|
|
94923
|
+
response.status
|
|
94924
|
+
);
|
|
94925
|
+
}
|
|
94926
|
+
const json = await response.json();
|
|
94927
|
+
if (json && typeof json === "object" && "success" in json) {
|
|
94928
|
+
if (!json.success) {
|
|
94929
|
+
throw new ClefClientError(json.message || "Request failed", response.status);
|
|
94930
|
+
}
|
|
94931
|
+
return json.data;
|
|
94932
|
+
}
|
|
94933
|
+
return json;
|
|
94934
|
+
}
|
|
94935
|
+
var CloudKmsProvider = class {
|
|
94936
|
+
endpoint;
|
|
94937
|
+
token;
|
|
94938
|
+
constructor(options) {
|
|
94939
|
+
this.endpoint = options.endpoint;
|
|
94940
|
+
this.token = resolveToken(options.token);
|
|
94941
|
+
}
|
|
94942
|
+
async wrap(_keyId, _plaintext) {
|
|
94943
|
+
throw new ClefClientError(
|
|
94944
|
+
"CloudKmsProvider.wrap() is not supported. Use the keyservice sidecar for encryption."
|
|
94945
|
+
);
|
|
94946
|
+
}
|
|
94947
|
+
async unwrap(keyId, wrappedKey, _algorithm) {
|
|
94948
|
+
const result = await request(this.endpoint, {
|
|
94949
|
+
method: "POST",
|
|
94950
|
+
path: "/api/v1/cloud/kms/decrypt",
|
|
94951
|
+
body: {
|
|
94952
|
+
keyArn: keyId,
|
|
94953
|
+
ciphertext: wrappedKey.toString("base64")
|
|
94954
|
+
},
|
|
94955
|
+
token: this.token,
|
|
94956
|
+
fetchFn: globalThis.fetch
|
|
94957
|
+
});
|
|
94958
|
+
return Buffer.from(result.plaintext, "base64");
|
|
94959
|
+
}
|
|
94960
|
+
};
|
|
94961
|
+
}
|
|
94962
|
+
});
|
|
94963
|
+
|
|
94964
|
+
// ../runtime/dist/kms/index.js
|
|
94965
|
+
var require_kms2 = __commonJS({
|
|
94831
94966
|
"../runtime/dist/kms/index.js"(exports2) {
|
|
94832
94967
|
"use strict";
|
|
94968
|
+
var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
|
|
94969
|
+
if (k2 === void 0) k2 = k;
|
|
94970
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
94971
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
94972
|
+
desc = { enumerable: true, get: function() {
|
|
94973
|
+
return m[k];
|
|
94974
|
+
} };
|
|
94975
|
+
}
|
|
94976
|
+
Object.defineProperty(o, k2, desc);
|
|
94977
|
+
}) : (function(o, m, k, k2) {
|
|
94978
|
+
if (k2 === void 0) k2 = k;
|
|
94979
|
+
o[k2] = m[k];
|
|
94980
|
+
}));
|
|
94981
|
+
var __setModuleDefault = exports2 && exports2.__setModuleDefault || (Object.create ? (function(o, v) {
|
|
94982
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
94983
|
+
}) : function(o, v) {
|
|
94984
|
+
o["default"] = v;
|
|
94985
|
+
});
|
|
94986
|
+
var __importStar = exports2 && exports2.__importStar || /* @__PURE__ */ (function() {
|
|
94987
|
+
var ownKeys = function(o) {
|
|
94988
|
+
ownKeys = Object.getOwnPropertyNames || function(o2) {
|
|
94989
|
+
var ar = [];
|
|
94990
|
+
for (var k in o2) if (Object.prototype.hasOwnProperty.call(o2, k)) ar[ar.length] = k;
|
|
94991
|
+
return ar;
|
|
94992
|
+
};
|
|
94993
|
+
return ownKeys(o);
|
|
94994
|
+
};
|
|
94995
|
+
return function(mod) {
|
|
94996
|
+
if (mod && mod.__esModule) return mod;
|
|
94997
|
+
var result = {};
|
|
94998
|
+
if (mod != null) {
|
|
94999
|
+
for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
95000
|
+
}
|
|
95001
|
+
__setModuleDefault(result, mod);
|
|
95002
|
+
return result;
|
|
95003
|
+
};
|
|
95004
|
+
})();
|
|
94833
95005
|
Object.defineProperty(exports2, "__esModule", { value: true });
|
|
94834
95006
|
exports2.AzureKmsProvider = exports2.GcpKmsProvider = exports2.AwsKmsProvider = void 0;
|
|
94835
95007
|
exports2.createKmsProvider = createKmsProvider;
|
|
@@ -94848,7 +95020,7 @@ var require_kms = __commonJS({
|
|
|
94848
95020
|
Object.defineProperty(exports2, "AzureKmsProvider", { enumerable: true, get: function() {
|
|
94849
95021
|
return azure_2.AzureKmsProvider;
|
|
94850
95022
|
} });
|
|
94851
|
-
function createKmsProvider(provider, options) {
|
|
95023
|
+
async function createKmsProvider(provider, options) {
|
|
94852
95024
|
switch (provider) {
|
|
94853
95025
|
case "aws":
|
|
94854
95026
|
return new aws_1.AwsKmsProvider(options?.region);
|
|
@@ -94856,6 +95028,17 @@ var require_kms = __commonJS({
|
|
|
94856
95028
|
return new gcp_1.GcpKmsProvider();
|
|
94857
95029
|
case "azure":
|
|
94858
95030
|
return new azure_1.AzureKmsProvider();
|
|
95031
|
+
case "cloud": {
|
|
95032
|
+
try {
|
|
95033
|
+
const { CloudKmsProvider } = await Promise.resolve().then(() => __importStar(require_kms()));
|
|
95034
|
+
return new CloudKmsProvider({
|
|
95035
|
+
endpoint: options?.endpoint ?? "",
|
|
95036
|
+
token: options?.token
|
|
95037
|
+
});
|
|
95038
|
+
} catch {
|
|
95039
|
+
throw new Error("Clef Cloud KMS requires @clef-sh/client. Install it with: npm install @clef-sh/client");
|
|
95040
|
+
}
|
|
95041
|
+
}
|
|
94859
95042
|
default:
|
|
94860
95043
|
throw new Error(`Unknown KMS provider: ${provider}`);
|
|
94861
95044
|
}
|
|
@@ -94908,7 +95091,7 @@ var require_artifact_decryptor = __commonJS({
|
|
|
94908
95091
|
exports2.ArtifactDecryptor = void 0;
|
|
94909
95092
|
var crypto6 = __importStar(require("crypto"));
|
|
94910
95093
|
var decrypt_1 = require_decrypt();
|
|
94911
|
-
var kms_1 =
|
|
95094
|
+
var kms_1 = require_kms2();
|
|
94912
95095
|
var ArtifactDecryptor = class {
|
|
94913
95096
|
ageDecryptor = new decrypt_1.AgeDecryptor();
|
|
94914
95097
|
privateKey;
|
|
@@ -94957,7 +95140,7 @@ var require_artifact_decryptor = __commonJS({
|
|
|
94957
95140
|
const envelope = artifact.envelope;
|
|
94958
95141
|
let dek;
|
|
94959
95142
|
try {
|
|
94960
|
-
const kms = (0, kms_1.createKmsProvider)(envelope.provider);
|
|
95143
|
+
const kms = await (0, kms_1.createKmsProvider)(envelope.provider);
|
|
94961
95144
|
const wrappedKey = Buffer.from(envelope.wrappedKey, "base64");
|
|
94962
95145
|
dek = await kms.unwrap(envelope.keyId, wrappedKey, envelope.algorithm);
|
|
94963
95146
|
} catch (err) {
|
|
@@ -96225,11 +96408,11 @@ var require_dist3 = __commonJS({
|
|
|
96225
96408
|
Object.defineProperty(exports2, "createVcsProvider", { enumerable: true, get: function() {
|
|
96226
96409
|
return index_1.createVcsProvider;
|
|
96227
96410
|
} });
|
|
96228
|
-
var kms_1 =
|
|
96411
|
+
var kms_1 = require_kms2();
|
|
96229
96412
|
Object.defineProperty(exports2, "AwsKmsProvider", { enumerable: true, get: function() {
|
|
96230
96413
|
return kms_1.AwsKmsProvider;
|
|
96231
96414
|
} });
|
|
96232
|
-
var kms_2 =
|
|
96415
|
+
var kms_2 = require_kms2();
|
|
96233
96416
|
Object.defineProperty(exports2, "createKmsProvider", { enumerable: true, get: function() {
|
|
96234
96417
|
return kms_2.createKmsProvider;
|
|
96235
96418
|
} });
|
|
@@ -99279,7 +99462,7 @@ async function fetchCheckpoint(config) {
|
|
|
99279
99462
|
}
|
|
99280
99463
|
|
|
99281
99464
|
// package.json
|
|
99282
|
-
var version2 = "0.1.13
|
|
99465
|
+
var version2 = "0.1.13";
|
|
99283
99466
|
var package_default = {
|
|
99284
99467
|
name: "@clef-sh/cli",
|
|
99285
99468
|
version: version2,
|
|
@@ -101482,7 +101665,7 @@ function registerPackCommand(program3, deps2) {
|
|
|
101482
101665
|
const envConfig = si?.environments[environment];
|
|
101483
101666
|
if (envConfig && isKmsEnvelope(envConfig)) {
|
|
101484
101667
|
const { createKmsProvider } = await Promise.resolve().then(() => __toESM(require_dist3()));
|
|
101485
|
-
kmsProvider = createKmsProvider(envConfig.kms.provider, {
|
|
101668
|
+
kmsProvider = await createKmsProvider(envConfig.kms.provider, {
|
|
101486
101669
|
region: envConfig.kms.region
|
|
101487
101670
|
});
|
|
101488
101671
|
}
|
|
@@ -102356,7 +102539,7 @@ function registerServeCommand(program3, deps2) {
|
|
|
102356
102539
|
const envConfig = si.environments[opts.env];
|
|
102357
102540
|
if (envConfig && isKmsEnvelope(envConfig)) {
|
|
102358
102541
|
const { createKmsProvider } = await Promise.resolve().then(() => __toESM(require_dist3()));
|
|
102359
|
-
kmsProvider = createKmsProvider(envConfig.kms.provider, {
|
|
102542
|
+
kmsProvider = await createKmsProvider(envConfig.kms.provider, {
|
|
102360
102543
|
region: envConfig.kms.region
|
|
102361
102544
|
});
|
|
102362
102545
|
}
|