@clef-sh/cli 0.1.13-beta.88 → 0.1.13-beta.92
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +193 -10
- package/dist/index.cjs.map +4 -4
- package/dist/index.mjs +193 -10
- package/dist/index.mjs.map +4 -4
- package/package.json +1 -1
package/dist/index.mjs
CHANGED
|
@@ -22358,7 +22358,12 @@ var VALID_KMS_PROVIDERS;
|
|
|
22358
22358
|
var init_types2 = __esm({
|
|
22359
22359
|
"../core/src/kms/types.ts"() {
|
|
22360
22360
|
"use strict";
|
|
22361
|
-
VALID_KMS_PROVIDERS = [
|
|
22361
|
+
VALID_KMS_PROVIDERS = [
|
|
22362
|
+
"aws",
|
|
22363
|
+
"gcp",
|
|
22364
|
+
"azure",
|
|
22365
|
+
"cloud"
|
|
22366
|
+
];
|
|
22362
22367
|
}
|
|
22363
22368
|
});
|
|
22364
22369
|
|
|
@@ -95224,10 +95229,177 @@ var require_azure = __commonJS({
|
|
|
95224
95229
|
}
|
|
95225
95230
|
});
|
|
95226
95231
|
|
|
95227
|
-
// ../
|
|
95232
|
+
// ../client/dist/kms.js
|
|
95228
95233
|
var require_kms = __commonJS({
|
|
95234
|
+
"../client/dist/kms.js"(exports, module) {
|
|
95235
|
+
"use strict";
|
|
95236
|
+
var __defProp2 = Object.defineProperty;
|
|
95237
|
+
var __getOwnPropDesc2 = Object.getOwnPropertyDescriptor;
|
|
95238
|
+
var __getOwnPropNames2 = Object.getOwnPropertyNames;
|
|
95239
|
+
var __hasOwnProp2 = Object.prototype.hasOwnProperty;
|
|
95240
|
+
var __export2 = (target, all) => {
|
|
95241
|
+
for (var name in all)
|
|
95242
|
+
__defProp2(target, name, { get: all[name], enumerable: true });
|
|
95243
|
+
};
|
|
95244
|
+
var __copyProps2 = (to, from, except, desc) => {
|
|
95245
|
+
if (from && typeof from === "object" || typeof from === "function") {
|
|
95246
|
+
for (let key of __getOwnPropNames2(from))
|
|
95247
|
+
if (!__hasOwnProp2.call(to, key) && key !== except)
|
|
95248
|
+
__defProp2(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc2(from, key)) || desc.enumerable });
|
|
95249
|
+
}
|
|
95250
|
+
return to;
|
|
95251
|
+
};
|
|
95252
|
+
var __toCommonJS = (mod3) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod3);
|
|
95253
|
+
var kms_exports = {};
|
|
95254
|
+
__export2(kms_exports, {
|
|
95255
|
+
ClefClientError: () => ClefClientError,
|
|
95256
|
+
CloudKmsProvider: () => CloudKmsProvider
|
|
95257
|
+
});
|
|
95258
|
+
module.exports = __toCommonJS(kms_exports);
|
|
95259
|
+
var ClefClientError = class extends Error {
|
|
95260
|
+
constructor(message, statusCode, fix) {
|
|
95261
|
+
super(message);
|
|
95262
|
+
this.statusCode = statusCode;
|
|
95263
|
+
this.fix = fix;
|
|
95264
|
+
this.name = "ClefClientError";
|
|
95265
|
+
}
|
|
95266
|
+
statusCode;
|
|
95267
|
+
fix;
|
|
95268
|
+
};
|
|
95269
|
+
function resolveToken(explicit) {
|
|
95270
|
+
if (explicit) return explicit;
|
|
95271
|
+
if (typeof process !== "undefined" && process.env?.CLEF_SERVICE_TOKEN) {
|
|
95272
|
+
return process.env.CLEF_SERVICE_TOKEN;
|
|
95273
|
+
}
|
|
95274
|
+
throw new ClefClientError(
|
|
95275
|
+
"No service token configured",
|
|
95276
|
+
void 0,
|
|
95277
|
+
"Set CLEF_SERVICE_TOKEN or pass token in options."
|
|
95278
|
+
);
|
|
95279
|
+
}
|
|
95280
|
+
async function request(baseUrl, opts2) {
|
|
95281
|
+
const url = `${baseUrl}${opts2.path}`;
|
|
95282
|
+
const headers = {
|
|
95283
|
+
Authorization: `Bearer ${opts2.token}`,
|
|
95284
|
+
Accept: "application/json"
|
|
95285
|
+
};
|
|
95286
|
+
if (opts2.body !== void 0) {
|
|
95287
|
+
headers["Content-Type"] = "application/json";
|
|
95288
|
+
}
|
|
95289
|
+
const init = {
|
|
95290
|
+
method: opts2.method,
|
|
95291
|
+
headers,
|
|
95292
|
+
body: opts2.body !== void 0 ? JSON.stringify(opts2.body) : void 0
|
|
95293
|
+
};
|
|
95294
|
+
let response;
|
|
95295
|
+
try {
|
|
95296
|
+
response = await opts2.fetchFn(url, init);
|
|
95297
|
+
} catch (err) {
|
|
95298
|
+
try {
|
|
95299
|
+
response = await opts2.fetchFn(url, init);
|
|
95300
|
+
} catch {
|
|
95301
|
+
throw new ClefClientError(
|
|
95302
|
+
`Connection failed: ${err.message}`,
|
|
95303
|
+
void 0,
|
|
95304
|
+
"Is the endpoint reachable? Check your CLEF_ENDPOINT setting."
|
|
95305
|
+
);
|
|
95306
|
+
}
|
|
95307
|
+
}
|
|
95308
|
+
if (response.status >= 500) {
|
|
95309
|
+
response = await opts2.fetchFn(url, init);
|
|
95310
|
+
}
|
|
95311
|
+
if (response.status === 401) {
|
|
95312
|
+
throw new ClefClientError("Authentication failed", 401, "Check your CLEF_SERVICE_TOKEN.");
|
|
95313
|
+
}
|
|
95314
|
+
if (response.status === 503) {
|
|
95315
|
+
throw new ClefClientError("Secrets expired or not loaded", 503, "Check the agent logs.");
|
|
95316
|
+
}
|
|
95317
|
+
if (!response.ok) {
|
|
95318
|
+
const text = await response.text().catch(() => "");
|
|
95319
|
+
throw new ClefClientError(
|
|
95320
|
+
`HTTP ${response.status}: ${text || response.statusText}`,
|
|
95321
|
+
response.status
|
|
95322
|
+
);
|
|
95323
|
+
}
|
|
95324
|
+
const json = await response.json();
|
|
95325
|
+
if (json && typeof json === "object" && "success" in json) {
|
|
95326
|
+
if (!json.success) {
|
|
95327
|
+
throw new ClefClientError(json.message || "Request failed", response.status);
|
|
95328
|
+
}
|
|
95329
|
+
return json.data;
|
|
95330
|
+
}
|
|
95331
|
+
return json;
|
|
95332
|
+
}
|
|
95333
|
+
var CloudKmsProvider = class {
|
|
95334
|
+
endpoint;
|
|
95335
|
+
token;
|
|
95336
|
+
constructor(options) {
|
|
95337
|
+
this.endpoint = options.endpoint;
|
|
95338
|
+
this.token = resolveToken(options.token);
|
|
95339
|
+
}
|
|
95340
|
+
async wrap(_keyId, _plaintext) {
|
|
95341
|
+
throw new ClefClientError(
|
|
95342
|
+
"CloudKmsProvider.wrap() is not supported. Use the keyservice sidecar for encryption."
|
|
95343
|
+
);
|
|
95344
|
+
}
|
|
95345
|
+
async unwrap(keyId, wrappedKey, _algorithm) {
|
|
95346
|
+
const result = await request(this.endpoint, {
|
|
95347
|
+
method: "POST",
|
|
95348
|
+
path: "/api/v1/cloud/kms/decrypt",
|
|
95349
|
+
body: {
|
|
95350
|
+
keyArn: keyId,
|
|
95351
|
+
ciphertext: wrappedKey.toString("base64")
|
|
95352
|
+
},
|
|
95353
|
+
token: this.token,
|
|
95354
|
+
fetchFn: globalThis.fetch
|
|
95355
|
+
});
|
|
95356
|
+
return Buffer.from(result.plaintext, "base64");
|
|
95357
|
+
}
|
|
95358
|
+
};
|
|
95359
|
+
}
|
|
95360
|
+
});
|
|
95361
|
+
|
|
95362
|
+
// ../runtime/dist/kms/index.js
|
|
95363
|
+
var require_kms2 = __commonJS({
|
|
95229
95364
|
"../runtime/dist/kms/index.js"(exports) {
|
|
95230
95365
|
"use strict";
|
|
95366
|
+
var __createBinding = exports && exports.__createBinding || (Object.create ? (function(o, m, k, k2) {
|
|
95367
|
+
if (k2 === void 0) k2 = k;
|
|
95368
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
95369
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
95370
|
+
desc = { enumerable: true, get: function() {
|
|
95371
|
+
return m[k];
|
|
95372
|
+
} };
|
|
95373
|
+
}
|
|
95374
|
+
Object.defineProperty(o, k2, desc);
|
|
95375
|
+
}) : (function(o, m, k, k2) {
|
|
95376
|
+
if (k2 === void 0) k2 = k;
|
|
95377
|
+
o[k2] = m[k];
|
|
95378
|
+
}));
|
|
95379
|
+
var __setModuleDefault = exports && exports.__setModuleDefault || (Object.create ? (function(o, v) {
|
|
95380
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
95381
|
+
}) : function(o, v) {
|
|
95382
|
+
o["default"] = v;
|
|
95383
|
+
});
|
|
95384
|
+
var __importStar = exports && exports.__importStar || /* @__PURE__ */ (function() {
|
|
95385
|
+
var ownKeys = function(o) {
|
|
95386
|
+
ownKeys = Object.getOwnPropertyNames || function(o2) {
|
|
95387
|
+
var ar = [];
|
|
95388
|
+
for (var k in o2) if (Object.prototype.hasOwnProperty.call(o2, k)) ar[ar.length] = k;
|
|
95389
|
+
return ar;
|
|
95390
|
+
};
|
|
95391
|
+
return ownKeys(o);
|
|
95392
|
+
};
|
|
95393
|
+
return function(mod3) {
|
|
95394
|
+
if (mod3 && mod3.__esModule) return mod3;
|
|
95395
|
+
var result = {};
|
|
95396
|
+
if (mod3 != null) {
|
|
95397
|
+
for (var k = ownKeys(mod3), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod3, k[i]);
|
|
95398
|
+
}
|
|
95399
|
+
__setModuleDefault(result, mod3);
|
|
95400
|
+
return result;
|
|
95401
|
+
};
|
|
95402
|
+
})();
|
|
95231
95403
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
95232
95404
|
exports.AzureKmsProvider = exports.GcpKmsProvider = exports.AwsKmsProvider = void 0;
|
|
95233
95405
|
exports.createKmsProvider = createKmsProvider;
|
|
@@ -95246,7 +95418,7 @@ var require_kms = __commonJS({
|
|
|
95246
95418
|
Object.defineProperty(exports, "AzureKmsProvider", { enumerable: true, get: function() {
|
|
95247
95419
|
return azure_2.AzureKmsProvider;
|
|
95248
95420
|
} });
|
|
95249
|
-
function createKmsProvider(provider, options) {
|
|
95421
|
+
async function createKmsProvider(provider, options) {
|
|
95250
95422
|
switch (provider) {
|
|
95251
95423
|
case "aws":
|
|
95252
95424
|
return new aws_1.AwsKmsProvider(options?.region);
|
|
@@ -95254,6 +95426,17 @@ var require_kms = __commonJS({
|
|
|
95254
95426
|
return new gcp_1.GcpKmsProvider();
|
|
95255
95427
|
case "azure":
|
|
95256
95428
|
return new azure_1.AzureKmsProvider();
|
|
95429
|
+
case "cloud": {
|
|
95430
|
+
try {
|
|
95431
|
+
const { CloudKmsProvider } = await Promise.resolve().then(() => __importStar(require_kms()));
|
|
95432
|
+
return new CloudKmsProvider({
|
|
95433
|
+
endpoint: options?.endpoint ?? "",
|
|
95434
|
+
token: options?.token
|
|
95435
|
+
});
|
|
95436
|
+
} catch {
|
|
95437
|
+
throw new Error("Clef Cloud KMS requires @clef-sh/client. Install it with: npm install @clef-sh/client");
|
|
95438
|
+
}
|
|
95439
|
+
}
|
|
95257
95440
|
default:
|
|
95258
95441
|
throw new Error(`Unknown KMS provider: ${provider}`);
|
|
95259
95442
|
}
|
|
@@ -95306,7 +95489,7 @@ var require_artifact_decryptor = __commonJS({
|
|
|
95306
95489
|
exports.ArtifactDecryptor = void 0;
|
|
95307
95490
|
var crypto6 = __importStar(__require("crypto"));
|
|
95308
95491
|
var decrypt_1 = require_decrypt();
|
|
95309
|
-
var kms_1 =
|
|
95492
|
+
var kms_1 = require_kms2();
|
|
95310
95493
|
var ArtifactDecryptor = class {
|
|
95311
95494
|
ageDecryptor = new decrypt_1.AgeDecryptor();
|
|
95312
95495
|
privateKey;
|
|
@@ -95355,7 +95538,7 @@ var require_artifact_decryptor = __commonJS({
|
|
|
95355
95538
|
const envelope = artifact.envelope;
|
|
95356
95539
|
let dek;
|
|
95357
95540
|
try {
|
|
95358
|
-
const kms = (0, kms_1.createKmsProvider)(envelope.provider);
|
|
95541
|
+
const kms = await (0, kms_1.createKmsProvider)(envelope.provider);
|
|
95359
95542
|
const wrappedKey = Buffer.from(envelope.wrappedKey, "base64");
|
|
95360
95543
|
dek = await kms.unwrap(envelope.keyId, wrappedKey, envelope.algorithm);
|
|
95361
95544
|
} catch (err) {
|
|
@@ -96623,11 +96806,11 @@ var require_dist3 = __commonJS({
|
|
|
96623
96806
|
Object.defineProperty(exports, "createVcsProvider", { enumerable: true, get: function() {
|
|
96624
96807
|
return index_1.createVcsProvider;
|
|
96625
96808
|
} });
|
|
96626
|
-
var kms_1 =
|
|
96809
|
+
var kms_1 = require_kms2();
|
|
96627
96810
|
Object.defineProperty(exports, "AwsKmsProvider", { enumerable: true, get: function() {
|
|
96628
96811
|
return kms_1.AwsKmsProvider;
|
|
96629
96812
|
} });
|
|
96630
|
-
var kms_2 =
|
|
96813
|
+
var kms_2 = require_kms2();
|
|
96631
96814
|
Object.defineProperty(exports, "createKmsProvider", { enumerable: true, get: function() {
|
|
96632
96815
|
return kms_2.createKmsProvider;
|
|
96633
96816
|
} });
|
|
@@ -99677,7 +99860,7 @@ async function fetchCheckpoint(config) {
|
|
|
99677
99860
|
}
|
|
99678
99861
|
|
|
99679
99862
|
// package.json
|
|
99680
|
-
var version2 = "0.1.13-beta.
|
|
99863
|
+
var version2 = "0.1.13-beta.92";
|
|
99681
99864
|
var package_default = {
|
|
99682
99865
|
name: "@clef-sh/cli",
|
|
99683
99866
|
version: version2,
|
|
@@ -101880,7 +102063,7 @@ function registerPackCommand(program3, deps2) {
|
|
|
101880
102063
|
const envConfig = si?.environments[environment];
|
|
101881
102064
|
if (envConfig && isKmsEnvelope(envConfig)) {
|
|
101882
102065
|
const { createKmsProvider } = await Promise.resolve().then(() => __toESM(require_dist3()));
|
|
101883
|
-
kmsProvider = createKmsProvider(envConfig.kms.provider, {
|
|
102066
|
+
kmsProvider = await createKmsProvider(envConfig.kms.provider, {
|
|
101884
102067
|
region: envConfig.kms.region
|
|
101885
102068
|
});
|
|
101886
102069
|
}
|
|
@@ -102754,7 +102937,7 @@ function registerServeCommand(program3, deps2) {
|
|
|
102754
102937
|
const envConfig = si.environments[opts2.env];
|
|
102755
102938
|
if (envConfig && isKmsEnvelope(envConfig)) {
|
|
102756
102939
|
const { createKmsProvider } = await Promise.resolve().then(() => __toESM(require_dist3()));
|
|
102757
|
-
kmsProvider = createKmsProvider(envConfig.kms.provider, {
|
|
102940
|
+
kmsProvider = await createKmsProvider(envConfig.kms.provider, {
|
|
102758
102941
|
region: envConfig.kms.region
|
|
102759
102942
|
});
|
|
102760
102943
|
}
|