@clef-sh/cli 0.1.6-beta.32 → 0.1.7-beta.43

package/dist/index.mjs

@@ -20307,7 +20307,7 @@ var init_runner = __esm({
       /**
        * Lint service identity configurations for drift issues.
        */
-      async lintServiceIdentities(identities, manifest, _repoRoot, existingCells) {
+      async lintServiceIdentities(identities, manifest, repoRoot, existingCells) {
         const issues = [];
         const declaredEnvNames = new Set(manifest.environments.map((e) => e.name));
         const declaredNsNames = new Set(manifest.namespaces.map((ns) => ns.name));
@@ -21941,6 +21941,55 @@ var init_manager2 = __esm({
       get(manifest, name) {
         return manifest.service_identities?.find((si) => si.name === name);
       }
+      /**
+       * Update environment backends on an existing service identity.
+       * Switches age → KMS (removes old recipient) or updates KMS config.
+       * Returns new private keys for any environments switched from KMS → age.
+       */
+      async updateEnvironments(name, kmsEnvConfigs, manifest, repoRoot) {
+        const identity = this.get(manifest, name);
+        if (!identity) {
+          throw new Error(`Service identity '${name}' not found.`);
+        }
+        const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
+        const raw = fs15.readFileSync(manifestPath, "utf-8");
+        const doc = YAML10.parse(raw);
+        const identities = doc.service_identities;
+        const siDoc = identities.find((si) => si.name === name);
+        const envs = siDoc.environments;
+        const cells = this.matrixManager.resolveMatrix(manifest, repoRoot).filter((c) => c.exists);
+        const privateKeys = {};
+        for (const [envName, kmsConfig] of Object.entries(kmsEnvConfigs)) {
+          const oldConfig = identity.environments[envName];
+          if (!oldConfig) {
+            throw new Error(`Environment '${envName}' not found on identity '${name}'.`);
+          }
+          if (oldConfig.recipient) {
+            const scopedCells = cells.filter(
+              (c) => identity.namespaces.includes(c.namespace) && c.environment === envName
+            );
+            for (const cell of scopedCells) {
+              try {
+                await this.encryption.removeRecipient(cell.filePath, oldConfig.recipient);
+              } catch {
+              }
+            }
+          }
+          envs[envName] = { kms: kmsConfig };
+          identity.environments[envName] = { kms: kmsConfig };
+        }
+        const tmp = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
+        try {
+          fs15.writeFileSync(tmp, YAML10.stringify(doc), "utf-8");
+          fs15.renameSync(tmp, manifestPath);
+        } finally {
+          try {
+            fs15.unlinkSync(tmp);
+          } catch {
+          }
+        }
+        return { privateKeys };
+      }
       /**
        * Register a service identity's public keys as SOPS recipients on scoped matrix files.
        */
@@ -22201,7 +22250,8 @@ var init_packer = __esm({
           try {
             const e = new Encrypter2();
             e.addRecipient(ephemeralPublicKey);
-            ciphertext = await e.encrypt(plaintext);
+            const encrypted = await e.encrypt(plaintext);
+            ciphertext = typeof encrypted === "string" ? encrypted : Buffer.from(encrypted).toString("base64");
           } catch {
             throw new Error("Failed to age-encrypt artifact with ephemeral key.");
           }
@@ -22230,7 +22280,8 @@ var init_packer = __esm({
             const { Encrypter: Encrypter2 } = await Promise.resolve().then(() => (init_dist(), dist_exports));
             const e = new Encrypter2();
             e.addRecipient(resolved.recipient);
-            ciphertext = await e.encrypt(plaintext);
+            const encrypted = await e.encrypt(plaintext);
+            ciphertext = typeof encrypted === "string" ? encrypted : Buffer.from(encrypted).toString("base64");
           } catch {
             throw new Error("Failed to age-encrypt artifact. Check recipient key.");
           }
@@ -76033,6 +76084,42 @@ var require_api = __commonJS({
           res.status(500).json({ error: message, code: "RECIPIENTS_REMOVE_ERROR" });
         }
       });
+      router.get("/service-identities", (_req, res) => {
+        try {
+          setNoCacheHeaders(res);
+          const manifest = loadManifest();
+          const identities = manifest.service_identities ?? [];
+          const result = identities.map((si) => {
+            const environments = {};
+            for (const [envName, envConfig] of Object.entries(si.environments)) {
+              const env = manifest.environments.find((e) => e.name === envName);
+              if (envConfig.kms) {
+                environments[envName] = {
+                  type: "kms",
+                  kms: envConfig.kms,
+                  protected: env?.protected ?? false
+                };
+              } else {
+                environments[envName] = {
+                  type: "age",
+                  publicKey: envConfig.recipient,
+                  protected: env?.protected ?? false
+                };
+              }
+            }
+            return {
+              name: si.name,
+              description: si.description,
+              namespaces: si.namespaces,
+              environments
+            };
+          });
+          res.json({ identities: result });
+        } catch (err) {
+          const message = err instanceof Error ? err.message : "Failed to load service identities";
+          res.status(500).json({ error: message, code: "SERVICE_IDENTITY_ERROR" });
+        }
+      });
       function dispose() {
         lastScanResult = null;
         lastScanAt = null;
@@ -76452,7 +76539,9 @@ var require_decrypt = __commonJS({
         const { Decrypter: Decrypter2 } = await Promise.resolve(`${"age-encryption"}`).then((s) => __importStar(__require(s)));
         const d = new Decrypter2();
         d.addIdentity(privateKey);
-        return d.decrypt(ciphertext, "text");
+        const isAgePem = ciphertext.startsWith("age-encryption.org/v1\n");
+        const input = isAgePem ? ciphertext : Buffer.from(ciphertext, "base64");
+        return d.decrypt(input, "text");
       }
       /**
        * Resolve the age private key from either an inline value or a file path.
@@ -77911,6 +78000,7 @@ ${label2}
     return new Promise((resolve6) => {
       rl.question(color(import_picocolors.default.yellow, `${prompt} [y/N] `), (answer) => {
         rl.close();
+        process.stdin.pause();
         resolve6(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
       });
     });
@@ -77950,6 +78040,7 @@ ${label2}
             process.stdin.setRawMode(false);
           }
           process.stdin.removeListener("data", onData);
+          process.stdin.pause();
           process.stderr.write("\n");
           resolve6(value);
         } else if (char === "") {
@@ -78082,25 +78173,53 @@ async function getDarwin(runner2, account) {
     if (result.exitCode === 0) {
       const key = result.stdout.trim();
       if (key.startsWith("AGE-SECRET-KEY-")) return key;
+      if (key) {
+        formatter.warn(
+          "OS keychain entry exists but contains invalid key data\n  (expected AGE-SECRET-KEY-... format). The entry may be corrupted.\n  Delete the 'clef' entry in Keychain Access and re-run clef init."
+        );
+      }
     }
     return null;
   } catch {
     return null;
   }
 }
+async function readDarwinRaw(runner2, account) {
+  try {
+    const result = await runner2.run("security", [
+      "find-generic-password",
+      "-a",
+      account,
+      "-s",
+      SERVICE,
+      "-w"
+    ]);
+    return result.exitCode === 0 ? result.stdout.trim() : "";
+  } catch {
+    return "";
+  }
+}
 async function setDarwin(runner2, privateKey, account) {
   await runner2.run("security", ["delete-generic-password", "-a", account, "-s", SERVICE]).catch(() => {
   });
-  const result = await runner2.run("security", [
-    "add-generic-password",
-    "-a",
-    account,
-    "-s",
-    SERVICE,
-    "-w",
-    privateKey
-  ]);
-  return result.exitCode === 0;
+  try {
+    const result = await runner2.run(
+      "security",
+      ["add-generic-password", "-a", account, "-s", SERVICE, "-w"],
+      { stdin: privateKey }
+    );
+    if (result.exitCode !== 0) return false;
+    const stored = await readDarwinRaw(runner2, account);
+    if (stored === privateKey) return true;
+    formatter.warn(
+      "Keychain write succeeded but read-back verification failed \u2014\n  the stored value may be truncated or corrupted.\n  Falling back to file-based key storage."
+    );
+    await runner2.run("security", ["delete-generic-password", "-a", account, "-s", SERVICE]).catch(() => {
+    });
+    return false;
+  } catch {
+    return false;
+  }
 }
 async function getLinux(runner2, account) {
   try {
@@ -78114,6 +78233,11 @@ async function getLinux(runner2, account) {
     if (result.exitCode === 0) {
       const key = result.stdout.trim();
       if (key.startsWith("AGE-SECRET-KEY-")) return key;
+      if (key) {
+        formatter.warn(
+          "OS keychain entry exists but contains invalid key data\n  (expected AGE-SECRET-KEY-... format). The entry may be corrupted."
+        );
+      }
     }
     return null;
   } catch {
@@ -78157,6 +78281,11 @@ ${CRED_HELPER_CS}
     if (result.exitCode === 0) {
       const key = result.stdout.trim();
       if (key.startsWith("AGE-SECRET-KEY-")) return key;
+      if (key) {
+        formatter.warn(
+          "Windows Credential Manager entry exists but contains invalid key data\n  (expected AGE-SECRET-KEY-... format). The entry may be corrupted."
+        );
+      }
     }
     return null;
   } catch {
@@ -78423,6 +78552,9 @@ async function handleSecondDevOnboarding(repoRoot, clefConfigPath, deps2, option
     formatter.success("Stored age key in OS keychain");
     config = { age_key_storage: "keychain", age_keychain_label: label2 };
   } else {
+    formatter.warn(
+      "OS keychain is not available on this system.\n  The private key will be written to the filesystem instead.\n  See https://docs.clef.sh/guide/key-storage for security implications."
+    );
     let keyPath;
     if (options.nonInteractive || !process.stdin.isTTY) {
       keyPath = process.env.CLEF_AGE_KEY_FILE || defaultAgeKeyPath(label2);
@@ -78798,6 +78930,7 @@ function promptWithDefault(message, defaultValue) {
   return new Promise((resolve6) => {
     rl.question(prompt, (answer) => {
       rl.close();
+      process.stdin.pause();
       resolve6(answer.trim() || defaultValue);
     });
   });
@@ -78820,6 +78953,11 @@ async function resolveAgeCredential(repoRoot, runner2) {
   if (label2) {
     const keychainKey = await getKeychainKey(runner2, label2);
     if (keychainKey) return { source: "keychain", privateKey: keychainKey };
+    if (config?.age_key_storage !== "file") {
+      formatter.warn(
+        "OS keychain is configured but the age key could not be retrieved.\n  Falling back to environment variables / key file.\n  Run clef doctor for diagnostics."
+      );
+    }
   }
   if (process.env.CLEF_AGE_KEY) return { source: "env-key" };
   if (process.env.CLEF_AGE_KEY_FILE) return { source: "env-file" };
@@ -78873,7 +79011,10 @@ async function resolveAgePrivateKey(repoRoot, runner2) {
         const content = fs18.readFileSync(filePath, "utf-8");
         const match = content.match(AGE_SECRET_KEY_RE);
         return match ? match[1] : null;
-      } catch {
+      } catch (err) {
+        formatter.warn(
+          `Could not read age key file (CLEF_AGE_KEY_FILE=${filePath}): ${err instanceof Error ? err.message : String(err)}`
+        );
         return null;
       }
     }
@@ -78882,7 +79023,10 @@ async function resolveAgePrivateKey(repoRoot, runner2) {
         const content = fs18.readFileSync(credential.path, "utf-8");
         const match = content.match(AGE_SECRET_KEY_RE);
         return match ? match[1] : null;
-      } catch {
+      } catch (err) {
+        formatter.warn(
+          `Could not read age key file (${credential.path}): ${err instanceof Error ? err.message : String(err)}`
+        );
         return null;
       }
     }
@@ -78893,16 +79037,52 @@ function readLocalConfig(repoRoot) {
   try {
     if (!fs18.existsSync(clefConfigPath)) return null;
     return YAML12.parse(fs18.readFileSync(clefConfigPath, "utf-8"));
-  } catch {
+  } catch (err) {
+    formatter.warn(
+      `Failed to parse ${clefConfigPath}: ${err instanceof Error ? err.message : String(err)}
+  Credential resolution will proceed without local config.`
+    );
     return null;
   }
 }
 
+// src/clipboard.ts
+import { execFileSync } from "child_process";
+function copyToClipboard(text) {
+  try {
+    switch (process.platform) {
+      case "darwin":
+        execFileSync("pbcopy", { input: text, stdio: ["pipe", "ignore", "ignore"] });
+        return true;
+      case "win32":
+        execFileSync("clip", { input: text, stdio: ["pipe", "ignore", "ignore"], shell: true });
+        return true;
+      default: {
+        for (const cmd of ["xclip", "xsel"]) {
+          try {
+            const args = cmd === "xclip" ? ["-selection", "clipboard"] : ["--clipboard", "--input"];
+            execFileSync(cmd, args, { input: text, stdio: ["pipe", "ignore", "ignore"] });
+            return true;
+          } catch {
+            continue;
+          }
+        }
+        return false;
+      }
+    }
+  } catch {
+    return false;
+  }
+}
+function maskedPlaceholder() {
+  return "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022";
+}
+
 // src/commands/get.ts
 function registerGetCommand(program3, deps2) {
   program3.command("get <target> <key>").description(
-    "Get a single decrypted value.\n\n  target: namespace/environment (e.g. payments/production)\n  key:    the key name to retrieve\n\nExit codes:\n  0  Value found and printed\n  1  Key not found or decryption error"
-  ).action(async (target, key) => {
+    "Get a single decrypted value.\n\n  target: namespace/environment (e.g. payments/production)\n  key:    the key name to retrieve\n\nBy default, the value is copied to clipboard and obfuscated on screen.\nUse --raw to print the plaintext value to stdout.\n\nExit codes:\n  0  Value found\n  1  Key not found or decryption error"
+  ).option("--raw", "Print the plaintext value to stdout (for piping/scripting)").action(async (target, key, opts2) => {
     try {
       const [namespace, environment] = parseTarget(target);
       const repoRoot = program3.opts().dir || process.cwd();
@@ -78921,7 +79101,17 @@ function registerGetCommand(program3, deps2) {
         process.exit(1);
         return;
       }
-      formatter.keyValue(key, decrypted.values[key]);
+      const val = decrypted.values[key];
+      if (opts2.raw) {
+        formatter.raw(val);
+      } else {
+        const copied = copyToClipboard(val);
+        if (copied) {
+          formatter.print(`  ${key}: ${maskedPlaceholder()} (copied to clipboard)`);
+        } else {
+          formatter.keyValue(key, val);
+        }
+      }
     } catch (err) {
       if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
         formatter.formatDependencyError(err);
@@ -79633,7 +79823,7 @@ async function fetchCheckpoint(config) {
 }
 
 // package.json
-var version = "0.1.6-beta.32";
+var version = "0.1.7-beta.43";
 var package_default = {
   name: "@clef-sh/cli",
   version,
@@ -80154,8 +80344,8 @@ init_src();
 import * as path31 from "path";
 function registerExportCommand(program3, deps2) {
   program3.command("export <target>").description(
-    "Print decrypted secrets as shell export statements to stdout.\n\n  target: namespace/environment (e.g. payments/production)\n\nUsage:\n  eval $(clef export payments/production --format env)\n\nExit codes:\n  0  Values printed successfully\n  1  Decryption error or invalid arguments"
-  ).option("--format <format>", "Output format (only 'env' is supported)", "env").option("--no-export", "Omit the 'export' keyword \u2014 output bare KEY=value pairs").action(async (target, options) => {
+    "Export decrypted secrets as shell export statements.\n\n  target: namespace/environment (e.g. payments/production)\n\nBy default, exports are copied to clipboard. Use --raw to print to stdout.\n\nUsage:\n  clef export payments/production             (copies to clipboard)\n  eval $(clef export payments/production --raw)  (injects into shell)\n\nExit codes:\n  0  Values exported successfully\n  1  Decryption error or invalid arguments"
+  ).option("--format <format>", "Output format (only 'env' is supported)", "env").option("--no-export", "Omit the 'export' keyword \u2014 output bare KEY=value pairs").option("--raw", "Print to stdout instead of clipboard (for eval/piping)").action(async (target, options) => {
     try {
       if (options.format !== "env") {
         if (options.format === "dotenv" || options.format === "json" || options.format === "yaml") {
@@ -80188,12 +80378,28 @@ Usage: clef export payments/production --format env`
       const decrypted = await sopsClient.decrypt(filePath);
       const consumption = new ConsumptionClient();
       const output = consumption.formatExport(decrypted, "env", !options.export);
-      if (process.platform === "linux") {
-        formatter.warn(
-          "Exported values will be visible in /proc/<pid>/environ to processes with ptrace access. Use clef exec when possible."
-        );
+      if (options.raw) {
+        if (process.platform === "linux") {
+          formatter.warn(
+            "Exported values will be visible in /proc/<pid>/environ to processes with ptrace access. Use clef exec when possible."
+          );
+        }
+        formatter.raw(output);
+      } else {
+        const keyCount = Object.keys(decrypted.values).length;
+        const copied = copyToClipboard(output);
+        if (copied) {
+          formatter.success(`${keyCount} secret(s) copied to clipboard as env exports.`);
+          formatter.hint("eval $(clef export " + target + " --raw)  to inject into shell");
+        } else {
+          if (process.platform === "linux") {
+            formatter.warn(
+              "Exported values will be visible in /proc/<pid>/environ to processes with ptrace access. Use clef exec when possible."
+            );
+          }
+          formatter.raw(output);
+        }
       }
-      formatter.raw(output);
     } catch (err) {
       if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
         formatter.formatDependencyError(err);
@@ -80853,6 +81059,7 @@ function waitForEnter(message) {
     });
     rl.question(message, () => {
       rl.close();
+      process.stdin.pause();
       resolve6();
     });
   });
@@ -81402,6 +81609,9 @@ function registerServiceCommand(program3, deps2) {
                 `Invalid KMS provider '${provider}'. Must be one of: aws, gcp, azure.`
               );
             }
+            if (kmsEnvConfigs[envName]) {
+              throw new Error(`Duplicate --kms-env for environment '${envName}'.`);
+            }
             kmsEnvConfigs[envName] = {
               provider,
               keyId
@@ -81440,13 +81650,24 @@ function registerServiceCommand(program3, deps2) {
 `
         );
         if (Object.keys(result.privateKeys).length > 0) {
-          formatter.warn(
-            "Private keys are shown ONCE. Store them securely (e.g. AWS Secrets Manager, Vault).\n"
-          );
-          for (const [envName, privateKey] of Object.entries(result.privateKeys)) {
-            formatter.print(`  ${envName}:`);
-            formatter.print(`    ${privateKey}
+          const entries = Object.entries(result.privateKeys);
+          const block = entries.map(([env, key]) => `${env}: ${key}`).join("\n");
+          const copied = copyToClipboard(block);
+          if (copied) {
+            formatter.warn("Private keys copied to clipboard. Store them securely.\n");
+            for (const [envName] of entries) {
+              formatter.print(`  ${envName}: ${maskedPlaceholder()}`);
+            }
+            formatter.print("");
+          } else {
+            formatter.warn(
+              "Private keys are shown ONCE. Store them securely (e.g. AWS Secrets Manager, Vault).\n"
+            );
+            for (const [envName, privateKey] of entries) {
+              formatter.print(`  ${envName}:`);
+              formatter.print(`    ${privateKey}
 `);
+            }
           }
           for (const k of Object.keys(result.privateKeys)) result.privateKeys[k] = "";
         }
@@ -81581,6 +81802,71 @@ Service Identity: ${identity.name}`);
       process.exit(1);
     }
   });
+  serviceCmd.command("update <name>").description("Update an existing service identity's environment backends.").option(
+    "--kms-env <mapping>",
+    "Switch an environment to KMS envelope encryption: env=provider:keyId (repeatable)",
+    (val, acc) => {
+      acc.push(val);
+      return acc;
+    },
+    []
+  ).action(async (name, opts2) => {
+    try {
+      if (opts2.kmsEnv.length === 0) {
+        formatter.error("Nothing to update. Provide --kms-env to change environment backends.");
+        process.exit(1);
+        return;
+      }
+      const repoRoot = program3.opts().dir || process.cwd();
+      const parser = new ManifestParser();
+      const manifest = parser.parse(path38.join(repoRoot, "clef.yaml"));
+      const kmsEnvConfigs = {};
+      for (const mapping of opts2.kmsEnv) {
+        const eqIdx = mapping.indexOf("=");
+        if (eqIdx === -1) {
+          throw new Error(`Invalid --kms-env format: '${mapping}'. Expected: env=provider:keyId`);
+        }
+        const envName = mapping.slice(0, eqIdx);
+        const rest = mapping.slice(eqIdx + 1);
+        const colonIdx = rest.indexOf(":");
+        if (colonIdx === -1) {
+          throw new Error(`Invalid --kms-env format: '${mapping}'. Expected: env=provider:keyId`);
+        }
+        const provider = rest.slice(0, colonIdx);
+        const keyId = rest.slice(colonIdx + 1);
+        if (!["aws", "gcp", "azure"].includes(provider)) {
+          throw new Error(`Invalid KMS provider '${provider}'. Must be one of: aws, gcp, azure.`);
+        }
+        if (kmsEnvConfigs[envName]) {
+          throw new Error(`Duplicate --kms-env for environment '${envName}'.`);
+        }
+        kmsEnvConfigs[envName] = {
+          provider,
+          keyId
+        };
+      }
+      const matrixManager = new MatrixManager();
+      const sopsClient = await createSopsClient(repoRoot, deps2.runner);
+      const manager = new ServiceIdentityManager(sopsClient, matrixManager);
+      formatter.print(`${sym("working")}  Updating service identity '${name}'...`);
+      await manager.updateEnvironments(name, kmsEnvConfigs, manifest, repoRoot);
+      formatter.success(`Service identity '${name}' updated.`);
+      for (const [envName, kmsConfig] of Object.entries(kmsEnvConfigs)) {
+        formatter.print(`  ${envName}: switched to KMS envelope (${kmsConfig.provider})`);
+      }
+      formatter.hint(
+        `git add clef.yaml && git commit -m "chore: update service identity '${name}'"`
+      );
+    } catch (err) {
+      if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
+        formatter.formatDependencyError(err);
+        process.exit(1);
+        return;
+      }
+      formatter.error(err.message);
+      process.exit(1);
+    }
+  });
   serviceCmd.command("rotate <name>").description("Rotate the age key for a service identity.").option("-e, --environment <env>", "Rotate only a specific environment").action(async (name, opts2) => {
     try {
       const repoRoot = program3.opts().dir || process.cwd();
@@ -81610,11 +81896,22 @@ Service Identity: ${identity.name}`);
       formatter.print(`${sym("working")}  Rotating key for '${name}'...`);
       const newKeys = await manager.rotateKey(name, manifest, repoRoot, opts2.environment);
       formatter.success(`Key rotated for '${name}'.`);
-      formatter.warn("New private keys are shown ONCE. Store them securely.\n");
-      for (const [envName, privateKey] of Object.entries(newKeys)) {
-        formatter.print(`  ${envName}:`);
-        formatter.print(`    ${privateKey}
+      const entries = Object.entries(newKeys);
+      const block = entries.map(([env, key]) => `${env}: ${key}`).join("\n");
+      const copied = copyToClipboard(block);
+      if (copied) {
+        formatter.warn("New private keys copied to clipboard. Store them securely.\n");
+        for (const [envName] of entries) {
+          formatter.print(`  ${envName}: ${maskedPlaceholder()}`);
+        }
+        formatter.print("");
+      } else {
+        formatter.warn("New private keys are shown ONCE. Store them securely.\n");
+        for (const [envName, privateKey] of entries) {
+          formatter.print(`  ${envName}:`);
+          formatter.print(`    ${privateKey}
 `);
+        }
       }
       for (const k of Object.keys(newKeys)) newKeys[k] = "";
       formatter.hint(
@@ -81628,11 +81925,25 @@ Service Identity: ${identity.name}`);
       }
       if (err instanceof PartialRotationError) {
         formatter.error(err.message);
-        formatter.warn("Partial rotation succeeded. New private keys below \u2014 store them NOW.\n");
-        for (const [envName, privateKey] of Object.entries(err.rotatedKeys)) {
-          formatter.print(`  ${envName}:`);
-          formatter.print(`    ${privateKey}
+        const partialEntries = Object.entries(err.rotatedKeys);
+        const partialBlock = partialEntries.map(([env, key]) => `${env}: ${key}`).join("\n");
+        const partialCopied = copyToClipboard(partialBlock);
+        if (partialCopied) {
+          formatter.warn(
+            "Partial rotation succeeded. Rotated keys copied to clipboard \u2014 store them NOW.\n"
+          );
+          for (const [envName] of partialEntries) {
+            formatter.print(`  ${envName}: ${maskedPlaceholder()}`);
+          }
+        } else {
+          formatter.warn(
+            "Partial rotation succeeded. New private keys below \u2014 store them NOW.\n"
+          );
+          for (const [envName, privateKey] of partialEntries) {
+            formatter.print(`  ${envName}:`);
+            formatter.print(`    ${privateKey}
 `);
+          }
         }
         for (const k of Object.keys(err.rotatedKeys)) {
           err.rotatedKeys[k] = "";