@clef-sh/cli 0.1.7-beta.45 → 0.1.8-beta.52

package/dist/index.cjs

@@ -5872,8 +5872,8 @@ var require_int2 = __commonJS({
     var stringifyNumber = require_stringifyNumber();
     var intIdentify = (value) => typeof value === "bigint" || Number.isInteger(value);
     function intResolve(str2, offset, radix, { intAsBigInt }) {
-      const sign = str2[0];
-      if (sign === "-" || sign === "+")
+      const sign2 = str2[0];
+      if (sign2 === "-" || sign2 === "+")
         offset += 1;
       str2 = str2.substring(offset).replace(/_/g, "");
       if (intAsBigInt) {
@@ -5889,10 +5889,10 @@ var require_int2 = __commonJS({
             break;
         }
         const n2 = BigInt(str2);
-        return sign === "-" ? BigInt(-1) * n2 : n2;
+        return sign2 === "-" ? BigInt(-1) * n2 : n2;
       }
       const n = parseInt(str2, radix);
-      return sign === "-" ? -1 * n : n;
+      return sign2 === "-" ? -1 * n : n;
     }
     function intStringify(node, radix, prefix) {
       const { value } = node;
@@ -6039,11 +6039,11 @@ var require_timestamp = __commonJS({
     "use strict";
     var stringifyNumber = require_stringifyNumber();
     function parseSexagesimal(str2, asBigInt) {
-      const sign = str2[0];
-      const parts = sign === "-" || sign === "+" ? str2.substring(1) : str2;
+      const sign2 = str2[0];
+      const parts = sign2 === "-" || sign2 === "+" ? str2.substring(1) : str2;
       const num2 = (n) => asBigInt ? BigInt(n) : Number(n);
       const res = parts.replace(/_/g, "").split(":").reduce((res2, p) => res2 * num2(60) + num2(p), num2(0));
-      return sign === "-" ? num2(-1) * res : res;
+      return sign2 === "-" ? num2(-1) * res : res;
     }
     function stringifySexagesimal(node) {
       let { value } = node;
@@ -6052,9 +6052,9 @@ var require_timestamp = __commonJS({
         num2 = (n) => BigInt(n);
       else if (isNaN(value) || !isFinite(value))
         return stringifyNumber.stringifyNumber(node);
-      let sign = "";
+      let sign2 = "";
       if (value < 0) {
-        sign = "-";
+        sign2 = "-";
         value *= num2(-1);
       }
       const _60 = num2(60);
@@ -6069,7 +6069,7 @@ var require_timestamp = __commonJS({
           parts.unshift(value);
         }
       }
-      return sign + parts.map((n) => String(n).padStart(2, "0")).join(":").replace(/000000\d*$/, "");
+      return sign2 + parts.map((n) => String(n).padStart(2, "0")).join(":").replace(/000000\d*$/, "");
     }
     var intTime = {
       identify: (value) => typeof value === "bigint" || Number.isInteger(value),
@@ -15991,13 +15991,13 @@ var require_age_encryption = __commonJS({
         }
         return { seed, k2sig };
       }
-      function sign(message, secretKey, opts2 = {}) {
+      function sign2(message, secretKey, opts2 = {}) {
         const { seed, k2sig } = prepSig(message, secretKey, opts2);
         const drbg = createHmacDrbg(hash.outputLen, Fn.BYTES, hmac4);
         const sig = drbg(seed, k2sig);
         return sig.toBytes(opts2.format);
       }
-      function verify(signature, message, publicKey, opts2 = {}) {
+      function verify2(signature, message, publicKey, opts2 = {}) {
         const { lowS, prehash, format } = validateSigOpts(opts2, defaultSigOpts);
         publicKey = abytes4(publicKey, void 0, "publicKey");
         message = validateMsgAndHash(message, prehash);
@@ -16037,8 +16037,8 @@ var require_age_encryption = __commonJS({
         utils,
         lengths,
         Point,
-        sign,
-        verify,
+        sign: sign2,
+        verify: verify2,
         recoverPublicKey,
         Signature,
         hash
@@ -21863,16 +21863,101 @@ var init_resolve = __esm({
   }
 });
 
+// ../core/src/artifact/signer.ts
+function buildSigningPayload(artifact) {
+  const fields = [
+    "clef-sig-v1",
+    String(artifact.version),
+    artifact.identity,
+    artifact.environment,
+    artifact.revision,
+    artifact.packedAt,
+    artifact.ciphertextHash,
+    [...artifact.keys].sort().join(","),
+    artifact.expiresAt ?? "",
+    artifact.envelope?.provider ?? "",
+    artifact.envelope?.keyId ?? "",
+    artifact.envelope?.wrappedKey ?? "",
+    artifact.envelope?.algorithm ?? ""
+  ];
+  return Buffer.from(fields.join("\n"), "utf-8");
+}
+function generateSigningKeyPair() {
+  const pair = crypto3.generateKeyPairSync("ed25519");
+  return {
+    publicKey: pair.publicKey.export({ type: "spki", format: "der" }).toString(
+      "base64"
+    ),
+    privateKey: pair.privateKey.export({ type: "pkcs8", format: "der" }).toString(
+      "base64"
+    )
+  };
+}
+function signEd25519(payload, privateKeyBase64) {
+  const keyObj = crypto3.createPrivateKey({
+    key: Buffer.from(privateKeyBase64, "base64"),
+    format: "der",
+    type: "pkcs8"
+  });
+  const signature = crypto3.sign(null, payload, keyObj);
+  return signature.toString("base64");
+}
+async function signKms(payload, kms, signingKeyId) {
+  if (!kms.sign) {
+    throw new Error(
+      "KMS provider does not support signing. Ensure the provider implements the sign() method."
+    );
+  }
+  const digest = crypto3.createHash("sha256").update(payload).digest();
+  const signature = await kms.sign(signingKeyId, digest);
+  return signature.toString("base64");
+}
+function verifySignature(payload, signatureBase64, publicKeyBase64) {
+  const keyObj = crypto3.createPublicKey({
+    key: Buffer.from(publicKeyBase64, "base64"),
+    format: "der",
+    type: "spki"
+  });
+  const signature = Buffer.from(signatureBase64, "base64");
+  const keyType = keyObj.asymmetricKeyType;
+  if (keyType === "ed25519") {
+    return crypto3.verify(null, payload, keyObj, signature);
+  }
+  if (keyType === "ec") {
+    return crypto3.verify("sha256", payload, keyObj, signature);
+  }
+  throw new Error(`Unsupported key type for signature verification: ${keyType}`);
+}
+function detectAlgorithm(publicKeyBase64) {
+  const keyObj = crypto3.createPublicKey({
+    key: Buffer.from(publicKeyBase64, "base64"),
+    format: "der",
+    type: "spki"
+  });
+  const keyType = keyObj.asymmetricKeyType;
+  if (keyType === "ed25519") return "Ed25519";
+  if (keyType === "ec") return "ECDSA_SHA256";
+  throw new Error(`Unsupported key type: ${keyType}`);
+}
+var crypto3;
+var init_signer = __esm({
+  "../core/src/artifact/signer.ts"() {
+    "use strict";
+    crypto3 = __toESM(require("crypto"));
+  }
+});
+
 // ../core/src/artifact/packer.ts
-var fs16, path18, crypto3, ArtifactPacker;
+var fs16, path18, crypto4, ArtifactPacker;
 var init_packer = __esm({
   "../core/src/artifact/packer.ts"() {
     "use strict";
     fs16 = __toESM(require("fs"));
     path18 = __toESM(require("path"));
-    crypto3 = __toESM(require("crypto"));
+    crypto4 = __toESM(require("crypto"));
     init_types();
     init_resolve();
+    init_signer();
     ArtifactPacker = class {
       constructor(encryption, matrixManager, kms) {
         this.encryption = encryption;
@@ -21884,6 +21969,11 @@ var init_packer = __esm({
        * values to the service identity's recipient, and write a JSON envelope.
        */
       async pack(config, manifest, repoRoot) {
+        if (config.signingKey && config.signingKmsKeyId) {
+          throw new Error(
+            "Cannot specify both signingKey (Ed25519) and signingKmsKeyId (KMS). Choose one."
+          );
+        }
         const resolved = await resolveIdentitySecrets(
           config.identity,
           config.environment,
@@ -21912,8 +22002,8 @@ var init_packer = __esm({
           }
           const kmsConfig = resolved.envConfig.kms;
           const wrapped = await this.kms.wrap(kmsConfig.keyId, Buffer.from(ephemeralPrivateKey));
-          const revision = `${Date.now()}-${crypto3.randomBytes(4).toString("hex")}`;
-          const ciphertextHash = crypto3.createHash("sha256").update(ciphertext).digest("hex");
+          const revision = `${Date.now()}-${crypto4.randomBytes(4).toString("hex")}`;
+          const ciphertextHash = crypto4.createHash("sha256").update(ciphertext).digest("hex");
           artifact = {
             version: 1,
             identity: config.identity,
@@ -21940,8 +22030,8 @@ var init_packer = __esm({
           } catch {
             throw new Error("Failed to age-encrypt artifact. Check recipient key.");
           }
-          const revision = `${Date.now()}-${crypto3.randomBytes(4).toString("hex")}`;
-          const ciphertextHash = crypto3.createHash("sha256").update(ciphertext).digest("hex");
+          const revision = `${Date.now()}-${crypto4.randomBytes(4).toString("hex")}`;
+          const ciphertextHash = crypto4.createHash("sha256").update(ciphertext).digest("hex");
           artifact = {
             version: 1,
             identity: config.identity,
@@ -21960,6 +22050,18 @@ var init_packer = __esm({
         if (config.ttl && config.ttl > 0) {
           artifact.expiresAt = new Date(Date.now() + config.ttl * 1e3).toISOString();
         }
+        if (config.signingKey) {
+          const payload = buildSigningPayload(artifact);
+          artifact.signature = signEd25519(payload, config.signingKey);
+          artifact.signatureAlgorithm = "Ed25519";
+        } else if (config.signingKmsKeyId) {
+          if (!this.kms) {
+            throw new Error("KMS provider required for KMS signing but none was provided.");
+          }
+          const payload = buildSigningPayload(artifact);
+          artifact.signature = await signKms(payload, this.kms, config.signingKmsKeyId);
+          artifact.signatureAlgorithm = "ECDSA_SHA256";
+        }
         const json = JSON.stringify(artifact, null, 2);
         const tmpOutput = `${config.outputPath}.tmp.${process.pid}`;
         fs16.writeFileSync(tmpOutput, json, "utf-8");
@@ -22016,15 +22118,18 @@ __export(src_exports, {
   SopsMissingError: () => SopsMissingError,
   SopsVersionError: () => SopsVersionError,
   assertSops: () => assertSops,
+  buildSigningPayload: () => buildSigningPayload,
   checkAll: () => checkAll,
   checkDependency: () => checkDependency,
   collectCIContext: () => collectCIContext,
   deriveAgePublicKey: () => deriveAgePublicKey,
+  detectAlgorithm: () => detectAlgorithm,
   detectFormat: () => detectFormat,
   findRequest: () => findRequest,
   formatAgeKeyFile: () => formatAgeKeyFile,
   generateAgeIdentity: () => generateAgeIdentity,
   generateRandomValue: () => generateRandomValue,
+  generateSigningKeyPair: () => generateSigningKeyPair,
   getPendingKeys: () => getPendingKeys,
   isHighEntropy: () => isHighEntropy,
   isKmsEnvelope: () => isKmsEnvelope,
@@ -22056,8 +22161,11 @@ __export(src_exports, {
   shannonEntropy: () => shannonEntropy,
   shouldIgnoreFile: () => shouldIgnoreFile,
   shouldIgnoreMatch: () => shouldIgnoreMatch,
+  signEd25519: () => signEd25519,
+  signKms: () => signKms,
   upsertRequest: () => upsertRequest,
-  validateAgePublicKey: () => validateAgePublicKey
+  validateAgePublicKey: () => validateAgePublicKey,
+  verifySignature: () => verifySignature
 });
 var init_src = __esm({
   "../core/src/index.ts"() {
@@ -22088,6 +22196,7 @@ var init_src = __esm({
     init_manager2();
     init_resolve();
     init_packer();
+    init_signer();
   }
 });
 
@@ -22698,7 +22807,7 @@ var require_supports_color = __commonJS({
         return 1;
       }
       if ("CI" in env) {
-        if (["TRAVIS", "CIRCLECI", "APPVEYOR", "GITLAB_CI", "GITHUB_ACTIONS", "BUILDKITE"].some((sign) => sign in env) || env.CI_NAME === "codeship") {
+        if (["TRAVIS", "CIRCLECI", "APPVEYOR", "GITLAB_CI", "GITHUB_ACTIONS", "BUILDKITE"].some((sign2) => sign2 in env) || env.CI_NAME === "codeship") {
           return 1;
         }
         return min;
@@ -37679,16 +37788,16 @@ var require_utils = __commonJS({
       var inflate = options?.inflate !== false;
       var limit = typeof options?.limit !== "number" ? bytes.parse(options?.limit || "100kb") : options?.limit;
       var type = options?.type || defaultType;
-      var verify = options?.verify || false;
+      var verify2 = options?.verify || false;
       var defaultCharset = options?.defaultCharset || "utf-8";
-      if (verify !== false && typeof verify !== "function") {
+      if (verify2 !== false && typeof verify2 !== "function") {
         throw new TypeError("option verify must be function");
       }
       var shouldParse = typeof type !== "function" ? typeChecker(type) : type;
       return {
         inflate,
         limit,
-        verify,
+        verify: verify2,
         defaultCharset,
         shouldParse
       };
@@ -37746,7 +37855,7 @@ var require_read = __commonJS({
       var length;
       var opts = options;
       var stream;
-      var verify = opts.verify;
+      var verify2 = opts.verify;
       try {
         stream = contentstream(req, debug, opts.inflate);
         length = stream.length;
@@ -37755,7 +37864,7 @@ var require_read = __commonJS({
         return next(err);
       }
       opts.length = length;
-      opts.encoding = verify ? null : encoding;
+      opts.encoding = verify2 ? null : encoding;
       if (opts.encoding === null && encoding !== null && !iconv.encodingExists(encoding)) {
         return next(createError(415, 'unsupported charset "' + encoding.toUpperCase() + '"', {
           charset: encoding.toLowerCase(),
@@ -37783,10 +37892,10 @@ var require_read = __commonJS({
           });
           return;
         }
-        if (verify) {
+        if (verify2) {
           try {
             debug("verify body");
-            verify(req, res, body, encoding);
+            verify2(req, res, body, encoding);
           } catch (err) {
             next(createError(403, err, {
               body,
@@ -38737,7 +38846,7 @@ var require_sign = __commonJS({
   "../../node_modules/math-intrinsics/sign.js"(exports2, module2) {
     "use strict";
     var $isNaN = require_isNaN();
-    module2.exports = function sign(number) {
+    module2.exports = function sign2(number) {
       if ($isNaN(number) || number === 0) {
         return number;
       }
@@ -39101,7 +39210,7 @@ var require_get_intrinsic = __commonJS({
     var min = require_min();
     var pow = require_pow();
     var round = require_round();
-    var sign = require_sign();
+    var sign2 = require_sign();
     var $Function = Function;
     var getEvalledConstructor = function(expressionSyntax) {
       try {
@@ -39215,7 +39324,7 @@ var require_get_intrinsic = __commonJS({
       "%Math.min%": min,
       "%Math.pow%": pow,
       "%Math.round%": round,
-      "%Math.sign%": sign,
+      "%Math.sign%": sign2,
       "%Reflect.getPrototypeOf%": $ReflectGPO
     };
     if (getProto) {
@@ -41001,14 +41110,14 @@ var require_etag = __commonJS({
   "../../node_modules/etag/index.js"(exports2, module2) {
     "use strict";
     module2.exports = etag;
-    var crypto5 = require("crypto");
+    var crypto6 = require("crypto");
     var Stats = require("fs").Stats;
     var toString = Object.prototype.toString;
     function entitytag(entity) {
       if (entity.length === 0) {
         return '"0-2jmj7l5rSw0yVb/vlWAYkK/YBwk"';
       }
-      var hash = crypto5.createHash("sha1").update(entity, "utf8").digest("base64").substring(0, 27);
+      var hash = crypto6.createHash("sha1").update(entity, "utf8").digest("base64").substring(0, 27);
       var len = typeof entity === "string" ? Buffer.byteLength(entity, "utf8") : entity.length;
       return '"' + len.toString(16) + "-" + hash + '"';
     }
@@ -63433,17 +63542,17 @@ var require_content_disposition = __commonJS({
 // ../../node_modules/cookie-signature/index.js
 var require_cookie_signature = __commonJS({
   "../../node_modules/cookie-signature/index.js"(exports2) {
-    var crypto5 = require("crypto");
+    var crypto6 = require("crypto");
     exports2.sign = function(val, secret) {
       if ("string" != typeof val) throw new TypeError("Cookie value must be provided as a string.");
       if (null == secret) throw new TypeError("Secret key must be provided.");
-      return val + "." + crypto5.createHmac("sha256", secret).update(val).digest("base64").replace(/\=+$/, "");
+      return val + "." + crypto6.createHmac("sha256", secret).update(val).digest("base64").replace(/\=+$/, "");
     };
     exports2.unsign = function(input, secret) {
       if ("string" != typeof input) throw new TypeError("Signed cookie string must be provided.");
       if (null == secret) throw new TypeError("Secret key must be provided.");
       var tentativeValue = input.slice(0, input.lastIndexOf(".")), expectedInput = exports2.sign(tentativeValue, secret), expectedBuffer = Buffer.from(expectedInput), inputBuffer = Buffer.from(input);
-      return expectedBuffer.length === inputBuffer.length && crypto5.timingSafeEqual(expectedBuffer, inputBuffer) ? tentativeValue : false;
+      return expectedBuffer.length === inputBuffer.length && crypto6.timingSafeEqual(expectedBuffer, inputBuffer) ? tentativeValue : false;
     };
   }
 });
@@ -73690,7 +73799,7 @@ var require_response = __commonJS({
     var path44 = require("node:path");
     var pathIsAbsolute = require("node:path").isAbsolute;
     var statuses = require_statuses();
-    var sign = require_cookie_signature().sign;
+    var sign2 = require_cookie_signature().sign;
     var normalizeType = require_utils3().normalizeType;
     var normalizeTypes = require_utils3().normalizeTypes;
     var setCharset = require_utils3().setCharset;
@@ -73981,7 +74090,7 @@ var require_response = __commonJS({
       }
       var val = typeof value === "object" ? "j:" + JSON.stringify(value) : String(value);
       if (signed) {
-        val = "s:" + sign(val, secret);
+        val = "s:" + sign2(val, secret);
       }
       if (opts.maxAge != null) {
         var maxAge = opts.maxAge - 0;
@@ -75347,9 +75456,8 @@ var require_api = __commonJS({
             }
             res.json({ success: true, key });
           }
-        } catch (err) {
-          const detail = err instanceof Error ? err.message : String(err);
-          res.status(500).json({ error: `Failed to set value: ${detail}`, code: "SET_ERROR" });
+        } catch {
+          res.status(500).json({ error: "Failed to set value", code: "SET_ERROR" });
         }
       });
       router.delete("/namespace/:ns/:env/:key", async (req, res) => {
@@ -75886,7 +75994,7 @@ var require_server = __commonJS({
       const app = (0, express_1.default)();
       const sessionToken = (0, crypto_1.randomBytes)(32).toString("hex");
       app.use(express_1.default.json());
-      app.use("/api", (req, res, next) => {
+      app.use((req, res, next) => {
         const host = req.headers.host ?? "";
         const actualPort = req.socket.address()?.port ?? port;
         const allowedHosts = [`127.0.0.1:${actualPort}`, `127.0.0.1:${port}`];
@@ -76312,6 +76420,20 @@ var require_aws = __commonJS({
         }
         return Buffer.from(response.Plaintext);
       }
+      async sign(keyId, digest) {
+        await this.ensureClient();
+        const command = new this.sdk.SignCommand({
+          KeyId: keyId,
+          Message: digest,
+          MessageType: "DIGEST",
+          SigningAlgorithm: "ECDSA_SHA_256"
+        });
+        const response = await this.client.send(command);
+        if (!response.Signature) {
+          throw new Error("AWS KMS Sign returned no signature.");
+        }
+        return Buffer.from(response.Signature);
+      }
     };
     exports2.AwsKmsProvider = AwsKmsProvider;
   }
@@ -76525,6 +76647,88 @@ var require_kms = __commonJS({
   }
 });
 
+// ../runtime/dist/signature.js
+var require_signature = __commonJS({
+  "../runtime/dist/signature.js"(exports2) {
+    "use strict";
+    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      var desc = Object.getOwnPropertyDescriptor(m, k);
+      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+        desc = { enumerable: true, get: function() {
+          return m[k];
+        } };
+      }
+      Object.defineProperty(o, k2, desc);
+    }) : (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      o[k2] = m[k];
+    }));
+    var __setModuleDefault = exports2 && exports2.__setModuleDefault || (Object.create ? (function(o, v) {
+      Object.defineProperty(o, "default", { enumerable: true, value: v });
+    }) : function(o, v) {
+      o["default"] = v;
+    });
+    var __importStar = exports2 && exports2.__importStar || /* @__PURE__ */ (function() {
+      var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function(o2) {
+          var ar = [];
+          for (var k in o2) if (Object.prototype.hasOwnProperty.call(o2, k)) ar[ar.length] = k;
+          return ar;
+        };
+        return ownKeys(o);
+      };
+      return function(mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) {
+          for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        }
+        __setModuleDefault(result, mod);
+        return result;
+      };
+    })();
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.buildSigningPayload = buildSigningPayload2;
+    exports2.verifySignature = verifySignature2;
+    var crypto6 = __importStar(require("crypto"));
+    function buildSigningPayload2(artifact) {
+      const fields = [
+        "clef-sig-v1",
+        String(artifact.version),
+        artifact.identity,
+        artifact.environment,
+        artifact.revision,
+        artifact.packedAt,
+        artifact.ciphertextHash,
+        [...artifact.keys].sort().join(","),
+        artifact.expiresAt ?? "",
+        artifact.envelope?.provider ?? "",
+        artifact.envelope?.keyId ?? "",
+        artifact.envelope?.wrappedKey ?? "",
+        artifact.envelope?.algorithm ?? ""
+      ];
+      return Buffer.from(fields.join("\n"), "utf-8");
+    }
+    function verifySignature2(payload, signatureBase64, publicKeyBase64) {
+      const keyObj = crypto6.createPublicKey({
+        key: Buffer.from(publicKeyBase64, "base64"),
+        format: "der",
+        type: "spki"
+      });
+      const signature = Buffer.from(signatureBase64, "base64");
+      const keyType = keyObj.asymmetricKeyType;
+      if (keyType === "ed25519") {
+        return crypto6.verify(null, payload, keyObj, signature);
+      }
+      if (keyType === "ec") {
+        return crypto6.verify("sha256", payload, keyObj, signature);
+      }
+      throw new Error(`Unsupported key type for signature verification: ${keyType}`);
+    }
+  }
+});
+
 // ../runtime/dist/poller.js
 var require_poller = __commonJS({
   "../runtime/dist/poller.js"(exports2) {
@@ -76568,9 +76772,10 @@ var require_poller = __commonJS({
     })();
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.ArtifactPoller = void 0;
-    var crypto5 = __importStar(require("crypto"));
+    var crypto6 = __importStar(require("crypto"));
     var decrypt_1 = require_decrypt();
     var kms_1 = require_kms();
+    var signature_1 = require_signature();
     var MIN_POLL_MS = 5e3;
     var ArtifactPoller = class {
       timer = null;
@@ -76686,7 +76891,7 @@ var require_poller = __commonJS({
         }
         if (artifact.revision === this.lastRevision)
           return;
-        const hash = crypto5.createHash("sha256").update(artifact.ciphertext).digest("hex");
+        const hash = crypto6.createHash("sha256").update(artifact.ciphertext).digest("hex");
         if (hash !== artifact.ciphertextHash) {
           const err = new Error(`Artifact integrity check failed: expected hash ${artifact.ciphertextHash}, got ${hash}`);
           this.telemetry?.artifactInvalid({
@@ -76695,6 +76900,36 @@ var require_poller = __commonJS({
           });
           throw err;
         }
+        if (this.options.verifyKey) {
+          if (!artifact.signature) {
+            const err = new Error("Artifact signature verification failed: artifact is unsigned but a verify key is configured. Only signed artifacts are accepted when signature verification is enabled.");
+            this.telemetry?.artifactInvalid({
+              reason: "signature_missing",
+              error: err.message
+            });
+            throw err;
+          }
+          const payload = (0, signature_1.buildSigningPayload)(artifact);
+          let valid;
+          try {
+            valid = (0, signature_1.verifySignature)(payload, artifact.signature, this.options.verifyKey);
+          } catch (sigErr) {
+            const err = new Error(`Artifact signature verification error: ${sigErr instanceof Error ? sigErr.message : String(sigErr)}`);
+            this.telemetry?.artifactInvalid({
+              reason: "signature_error",
+              error: err.message
+            });
+            throw err;
+          }
+          if (!valid) {
+            const err = new Error("Artifact signature verification failed: signature does not match the verify key. The artifact may have been tampered with or signed by a different key.");
+            this.telemetry?.artifactInvalid({
+              reason: "signature_invalid",
+              error: err.message
+            });
+            throw err;
+          }
+        }
         let agePrivateKey;
         if (artifact.envelope) {
           try {
@@ -76816,6 +77051,8 @@ var require_poller = __commonJS({
         return "missing_fields";
       if (msg.includes("incomplete envelope"))
         return "incomplete_envelope";
+      if (msg.includes("signature"))
+        return "signature";
       return "unknown";
     }
   }
@@ -77284,7 +77521,7 @@ var require_dist4 = __commonJS({
   "../runtime/dist/index.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.ClefRuntime = exports2.VcsArtifactSource = exports2.FileArtifactSource = exports2.HttpArtifactSource = exports2.createKmsProvider = exports2.AwsKmsProvider = exports2.createVcsProvider = exports2.BitbucketProvider = exports2.GitLabProvider = exports2.GitHubProvider = exports2.TelemetryEmitter = exports2.ArtifactPoller = exports2.AgeDecryptor = exports2.DiskCache = exports2.SecretsCache = void 0;
+    exports2.ClefRuntime = exports2.verifySignature = exports2.buildSigningPayload = exports2.VcsArtifactSource = exports2.FileArtifactSource = exports2.HttpArtifactSource = exports2.createKmsProvider = exports2.AwsKmsProvider = exports2.createVcsProvider = exports2.BitbucketProvider = exports2.GitLabProvider = exports2.GitHubProvider = exports2.TelemetryEmitter = exports2.ArtifactPoller = exports2.AgeDecryptor = exports2.DiskCache = exports2.SecretsCache = void 0;
     exports2.init = init;
     var secrets_cache_1 = require_secrets_cache();
     Object.defineProperty(exports2, "SecretsCache", { enumerable: true, get: function() {
@@ -77342,6 +77579,13 @@ var require_dist4 = __commonJS({
     Object.defineProperty(exports2, "VcsArtifactSource", { enumerable: true, get: function() {
       return vcs_1.VcsArtifactSource;
     } });
+    var signature_1 = require_signature();
+    Object.defineProperty(exports2, "buildSigningPayload", { enumerable: true, get: function() {
+      return signature_1.buildSigningPayload;
+    } });
+    Object.defineProperty(exports2, "verifySignature", { enumerable: true, get: function() {
+      return signature_1.verifySignature;
+    } });
     var secrets_cache_2 = require_secrets_cache();
     var disk_cache_2 = require_disk_cache();
     var decrypt_2 = require_decrypt();
@@ -77370,7 +77614,8 @@ var require_dist4 = __commonJS({
           cache: this.cache,
           diskCache,
           cacheTtl: config.cacheTtl,
-          telemetry: config.telemetry
+          telemetry: config.telemetry,
+          verifyKey: config.verifyKey
         });
       }
       /** Initial fetch + decrypt. Must be called before get/getAll. */
@@ -78936,12 +79181,14 @@ function registerSetCommand(program3, deps2) {
           try {
             await markPendingWithRetry(filePath, [key], "clef set --random");
           } catch {
-            formatter.warn(
+            formatter.error(
               `${key} was encrypted but pending state could not be recorded.
-  WARNING: The encrypted file contains a random placeholder value.
+  The encrypted file contains a random placeholder value with no tracking metadata.
   This key MUST be set to a real value before deploying.
   Run: clef set ${namespace}/${environment} ${key}`
             );
+            process.exit(1);
+            return;
           }
           formatter.success(`${key} set in ${namespace}/${environment} ${sym("locked")}`);
           formatter.print(
@@ -78985,7 +79232,7 @@ function parseTarget2(target) {
 // src/commands/compare.ts
 var path23 = __toESM(require("path"));
 init_src();
-var crypto4 = __toESM(require("crypto"));
+var crypto5 = __toESM(require("crypto"));
 function registerCompareCommand(program3, deps2) {
   program3.command("compare <target> <key> [value]").description(
     "Compare a stored secret with a supplied value.\n\n  target: namespace/environment (e.g. payments/staging)\n  key:    the key name to compare\n  value:  optional \u2014 if omitted, prompts with hidden input\n\nNeither value is ever printed to stdout.\n\nExit codes:\n  0  values match\n  1  values do not match or operation failed"
@@ -79021,7 +79268,7 @@ function registerCompareCommand(program3, deps2) {
         return;
       }
       const stored = decrypted.values[key];
-      const match = stored.length === compareValue.length && crypto4.timingSafeEqual(Buffer.from(stored), Buffer.from(compareValue));
+      const match = stored.length === compareValue.length && crypto5.timingSafeEqual(Buffer.from(stored), Buffer.from(compareValue));
       if (match) {
         formatter.success(`${key} ${sym("arrow")} values match`);
       } else {
@@ -79483,7 +79730,7 @@ async function fetchCheckpoint(config) {
 }
 
 // package.json
-var version = "0.1.7-beta.45";
+var version = "0.1.8-beta.52";
 var package_default = {
   name: "@clef-sh/cli",
   version,
@@ -79582,6 +79829,7 @@ function registerLintCommand(program3, deps2) {
         formatter.raw(JSON.stringify(result, null, 2) + "\n");
         const hasErrors2 = result.issues.some((i) => i.severity === "error");
         process.exit(hasErrors2 ? 1 : 0);
+        return;
       }
       formatLintOutput(result);
       const hasErrors = result.issues.some((i) => i.severity === "error");
@@ -81629,7 +81877,11 @@ Service Identity: ${identity.name}`);
         formatter.error(err.message);
         const partialEntries = Object.entries(err.rotatedKeys);
         const partialBlock = partialEntries.map(([env, key]) => `${env}: ${key}`).join("\n");
-        const partialCopied = copyToClipboard(partialBlock);
+        let partialCopied = false;
+        try {
+          partialCopied = copyToClipboard(partialBlock);
+        } catch {
+        }
         if (partialCopied) {
           formatter.warn(
             "Partial rotation succeeded. Rotated keys copied to clipboard \u2014 store them NOW.\n"
@@ -81665,7 +81917,13 @@ init_src();
 function registerPackCommand(program3, deps2) {
   program3.command("pack <identity> <environment>").description(
     "Pack an encrypted artifact for a service identity.\n\n  The artifact is a JSON envelope with age-encrypted secrets that can be\n  fetched by the Clef agent at runtime from any HTTP URL or local file.\n\nUsage:\n  clef pack api-gateway production --output ./artifact.json\n  # Then upload with your CI tools:\n  # aws s3 cp ./artifact.json s3://my-bucket/clef/api-gateway/production.json"
-  ).requiredOption("-o, --output <path>", "Output file path for the artifact JSON").option("--ttl <seconds>", "Artifact TTL \u2014 embeds an expiresAt timestamp in the envelope").action(
+  ).requiredOption("-o, --output <path>", "Output file path for the artifact JSON").option("--ttl <seconds>", "Artifact TTL \u2014 embeds an expiresAt timestamp in the envelope").option(
+    "--signing-key <key>",
+    "Ed25519 private key for artifact signing (base64 DER PKCS8, or env CLEF_SIGNING_KEY)"
+  ).option(
+    "--signing-kms-key <keyId>",
+    "KMS asymmetric signing key ARN/ID (ECDSA_SHA_256, or env CLEF_SIGNING_KMS_KEY)"
+  ).action(
     async (identity, environment, opts) => {
       try {
         const repoRoot = program3.opts().dir || process.cwd();
@@ -81690,11 +81948,20 @@ function registerPackCommand(program3, deps2) {
           process.exit(1);
           return;
         }
+        const signingKey = opts.signingKey ?? process.env.CLEF_SIGNING_KEY;
+        const signingKmsKeyId = opts.signingKmsKey ?? process.env.CLEF_SIGNING_KMS_KEY;
+        if (signingKey && signingKmsKeyId) {
+          formatter.error(
+            "Cannot specify both --signing-key (Ed25519) and --signing-kms-key (KMS). Choose one."
+          );
+          process.exit(1);
+          return;
+        }
         formatter.print(
           `${sym("working")}  Packing artifact for '${identity}/${environment}'...`
         );
         const result = await packer.pack(
-          { identity, environment, outputPath, ttl },
+          { identity, environment, outputPath, ttl, signingKey, signingKmsKeyId },
           manifest,
           repoRoot
         );
@@ -81707,11 +81974,13 @@ function registerPackCommand(program3, deps2) {
         if (envConfig && isKmsEnvelope(envConfig)) {
           formatter.print(`  Envelope: KMS (${envConfig.kms.provider})`);
         }
-        formatter.warn(
-          "\nThe artifact contains encrypted secrets. Do NOT commit it to version control."
-        );
+        if (signingKey) {
+          formatter.print(`  Signed:   Ed25519`);
+        } else if (signingKmsKeyId) {
+          formatter.print(`  Signed:   KMS ECDSA_SHA256`);
+        }
         formatter.hint(
-          "Upload the artifact to an HTTP-accessible store (S3, GCS, etc.) using your CI tools."
+          "\nUpload the artifact to an HTTP-accessible store (S3, GCS, etc.) or commit to\n  .clef/packed/ for VCS-based delivery. See: clef.sh/guide/service-identities"
         );
       } catch (err) {
         if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
@@ -81814,6 +82083,7 @@ function registerDriftCommand(program3, _deps) {
         if (options.json) {
           formatter.raw(JSON.stringify(result, null, 2) + "\n");
           process.exit(result.issues.length > 0 ? 1 : 0);
+          return;
         }
         formatDriftOutput(result);
         process.exit(result.issues.length > 0 ? 1 : 0);