@clef-sh/cli 0.1.8 → 0.1.9-beta.57

package/dist/index.cjs

@@ -967,7 +967,7 @@ var require_command = __commonJS({
     var EventEmitter = require("node:events").EventEmitter;
     var childProcess = require("node:child_process");
     var path44 = require("node:path");
-    var fs27 = require("node:fs");
+    var fs26 = require("node:fs");
     var process2 = require("node:process");
     var { Argument: Argument2, humanReadableArgName } = require_argument();
     var { CommanderError: CommanderError2 } = require_error();
@@ -1900,10 +1900,10 @@ Expecting one of '${allowedValues.join("', '")}'`);
         const sourceExt = [".js", ".ts", ".tsx", ".mjs", ".cjs"];
         function findFile(baseDir, baseName) {
           const localBin = path44.resolve(baseDir, baseName);
-          if (fs27.existsSync(localBin)) return localBin;
+          if (fs26.existsSync(localBin)) return localBin;
           if (sourceExt.includes(path44.extname(baseName))) return void 0;
           const foundExt = sourceExt.find(
-            (ext) => fs27.existsSync(`${localBin}${ext}`)
+            (ext) => fs26.existsSync(`${localBin}${ext}`)
           );
           if (foundExt) return `${localBin}${foundExt}`;
           return void 0;
@@ -1915,7 +1915,7 @@ Expecting one of '${allowedValues.join("', '")}'`);
         if (this._scriptPath) {
           let resolvedScriptPath;
           try {
-            resolvedScriptPath = fs27.realpathSync(this._scriptPath);
+            resolvedScriptPath = fs26.realpathSync(this._scriptPath);
           } catch (err) {
             resolvedScriptPath = this._scriptPath;
           }
@@ -9866,14 +9866,14 @@ var require_parser = __commonJS({
             case "scalar":
             case "single-quoted-scalar":
             case "double-quoted-scalar": {
-              const fs27 = this.flowScalar(this.type);
+              const fs26 = this.flowScalar(this.type);
               if (atNextItem || it.value) {
-                map.items.push({ start, key: fs27, sep: [] });
+                map.items.push({ start, key: fs26, sep: [] });
                 this.onKeyLine = true;
               } else if (it.sep) {
-                this.stack.push(fs27);
+                this.stack.push(fs26);
               } else {
-                Object.assign(it, { key: fs27, sep: [] });
+                Object.assign(it, { key: fs26, sep: [] });
                 this.onKeyLine = true;
               }
               return;
@@ -10001,13 +10001,13 @@ var require_parser = __commonJS({
             case "scalar":
             case "single-quoted-scalar":
             case "double-quoted-scalar": {
-              const fs27 = this.flowScalar(this.type);
+              const fs26 = this.flowScalar(this.type);
               if (!it || it.value)
-                fc.items.push({ start: [], key: fs27, sep: [] });
+                fc.items.push({ start: [], key: fs26, sep: [] });
               else if (it.sep)
-                this.stack.push(fs27);
+                this.stack.push(fs26);
               else
-                Object.assign(it, { key: fs27, sep: [] });
+                Object.assign(it, { key: fs26, sep: [] });
               return;
             }
             case "flow-map-end":
@@ -10215,7 +10215,7 @@ var require_public_api = __commonJS({
       }
       return doc;
     }
-    function parse16(src, reviver, options) {
+    function parse15(src, reviver, options) {
       let _reviver = void 0;
       if (typeof reviver === "function") {
         _reviver = reviver;
@@ -10256,7 +10256,7 @@ var require_public_api = __commonJS({
         return value.toString(options);
       return new Document.Document(value, _replacer, options).toString(options);
     }
-    exports2.parse = parse16;
+    exports2.parse = parse15;
     exports2.parseAllDocuments = parseAllDocuments;
     exports2.parseDocument = parseDocument;
     exports2.stringify = stringify7;
@@ -10737,6 +10737,12 @@ var init_parser = __esm({
               "namespaces"
             );
           }
+          if (!ENV_NAME_PATTERN.test(nsObj.name)) {
+            throw new ManifestValidationError(
+              `Namespace name '${nsObj.name}' is invalid. Names must start with a lowercase letter and contain only lowercase letters, digits, hyphens, and underscores.`,
+              "namespaces"
+            );
+          }
           if (!nsObj.description || typeof nsObj.description !== "string") {
             throw new ManifestValidationError(
               `Namespace '${nsObj.name}' is missing a 'description' string.`,
@@ -10837,9 +10843,9 @@ var init_parser = __esm({
               );
             }
             const siName = siObj.name;
-            if (!siObj.description || typeof siObj.description !== "string") {
+            if (siObj.description != null && typeof siObj.description !== "string") {
               throw new ManifestValidationError(
-                `Service identity '${siName}' is missing a 'description' string.`,
+                `Service identity '${siName}' has a non-string 'description'.`,
                 "service_identities"
               );
             }
@@ -10954,7 +10960,7 @@ var init_parser = __esm({
             }
             return {
               name: siName,
-              description: siObj.description,
+              description: siObj.description ?? "",
               namespaces: siObj.namespaces,
               environments: parsedEnvs
             };
@@ -11155,7 +11161,11 @@ var init_scanner = __esm({
     init_patterns();
     init_ignore();
     ALWAYS_SKIP_EXTENSIONS = [".enc.yaml", ".enc.json"];
-    ALWAYS_SKIP_NAMES = [".clef-meta.yaml"];
+    ALWAYS_SKIP_NAMES = [
+      ".clef-meta.yaml",
+      ".sops.yaml"
+      // contains age public keys and KMS ARNs — configuration, not secrets
+    ];
     ALWAYS_SKIP_DIRS = ["node_modules", ".git"];
     MAX_FILE_SIZE = 1024 * 1024;
     ScanRunner = class {
@@ -11451,15 +11461,36 @@ var init_metadata = __esm({
   }
 });
 
+// ../core/src/sops/keys.ts
+function readSopsKeyNames(filePath) {
+  try {
+    const raw = fs5.readFileSync(filePath, "utf-8");
+    const parsed = YAML3.parse(raw);
+    if (parsed === null || parsed === void 0 || typeof parsed !== "object") return null;
+    return Object.keys(parsed).filter((k) => k !== "sops");
+  } catch {
+    return null;
+  }
+}
+var fs5, YAML3;
+var init_keys = __esm({
+  "../core/src/sops/keys.ts"() {
+    "use strict";
+    fs5 = __toESM(require("fs"));
+    YAML3 = __toESM(require_dist());
+  }
+});
+
 // ../core/src/matrix/manager.ts
-var fs5, path4, YAML3, MatrixManager;
+var fs6, path4, YAML4, MatrixManager;
 var init_manager = __esm({
   "../core/src/matrix/manager.ts"() {
     "use strict";
-    fs5 = __toESM(require("fs"));
+    fs6 = __toESM(require("fs"));
     path4 = __toESM(require("path"));
-    YAML3 = __toESM(require_dist());
+    YAML4 = __toESM(require_dist());
     init_metadata();
+    init_keys();
     MatrixManager = class {
       /**
        * Build the full grid of {@link MatrixCell} objects from the manifest.
@@ -11478,7 +11509,7 @@ var init_manager = __esm({
               namespace: ns.name,
               environment: env.name,
               filePath,
-              exists: fs5.existsSync(filePath)
+              exists: fs6.existsSync(filePath)
             });
           }
         }
@@ -11502,8 +11533,8 @@ var init_manager = __esm({
        */
       async scaffoldCell(cell, sopsClient, manifest) {
         const dir = path4.dirname(cell.filePath);
-        if (!fs5.existsSync(dir)) {
-          fs5.mkdirSync(dir, { recursive: true });
+        if (!fs6.existsSync(dir)) {
+          fs6.mkdirSync(dir, { recursive: true });
         }
         await sopsClient.encrypt(cell.filePath, {}, manifest, cell.environment);
       }
@@ -11572,22 +11603,15 @@ var init_manager = __esm({
        * SOPS stores key names in plaintext — only values are encrypted.
        */
       readKeyNames(filePath) {
-        try {
-          const raw = fs5.readFileSync(filePath, "utf-8");
-          const parsed = YAML3.parse(raw);
-          if (!parsed || typeof parsed !== "object") return [];
-          return Object.keys(parsed).filter((k) => k !== "sops");
-        } catch {
-          return [];
-        }
+        return readSopsKeyNames(filePath) ?? [];
       }
       /**
        * Read the lastModified timestamp from SOPS metadata without decryption.
        */
       readLastModified(filePath) {
         try {
-          const raw = fs5.readFileSync(filePath, "utf-8");
-          const parsed = YAML3.parse(raw);
+          const raw = fs6.readFileSync(filePath, "utf-8");
+          const parsed = YAML4.parse(raw);
           const sops = parsed?.sops;
           if (sops?.lastmodified) return new Date(String(sops.lastmodified));
           return null;
@@ -11610,12 +11634,12 @@ var init_manager = __esm({
 });
 
 // ../core/src/schema/validator.ts
-var fs6, YAML4, SchemaValidator;
+var fs7, YAML5, SchemaValidator;
 var init_validator2 = __esm({
   "../core/src/schema/validator.ts"() {
     "use strict";
-    fs6 = __toESM(require("fs"));
-    YAML4 = __toESM(require_dist());
+    fs7 = __toESM(require("fs"));
+    YAML5 = __toESM(require_dist());
     init_types();
     SchemaValidator = class {
       /**
@@ -11628,13 +11652,13 @@ var init_validator2 = __esm({
       loadSchema(filePath) {
         let raw;
         try {
-          raw = fs6.readFileSync(filePath, "utf-8");
+          raw = fs7.readFileSync(filePath, "utf-8");
         } catch {
           throw new SchemaLoadError(`Could not read schema file at '${filePath}'.`, filePath);
         }
         let parsed;
         try {
-          parsed = YAML4.parse(raw);
+          parsed = YAML5.parse(raw);
         } catch {
           throw new SchemaLoadError(`Schema file '${filePath}' contains invalid YAML.`, filePath);
         }
@@ -11949,11 +11973,11 @@ ${details}`
 });
 
 // ../core/src/git/integration.ts
-var fs7, path7, PRE_COMMIT_HOOK, GitIntegration;
+var fs8, path7, PRE_COMMIT_HOOK, GitIntegration;
 var init_integration = __esm({
   "../core/src/git/integration.ts"() {
     "use strict";
-    fs7 = __toESM(require("fs"));
+    fs8 = __toESM(require("fs"));
     path7 = __toESM(require("path"));
     init_types();
     PRE_COMMIT_HOOK = `#!/bin/sh
@@ -12163,14 +12187,14 @@ exit $EXIT_CODE
         });
         const gitConfig = configResult.exitCode === 0 && configResult.stdout.trim().length > 0;
         const attrFilePath = path7.join(repoRoot, ".gitattributes");
-        const attrContent = fs7.existsSync(attrFilePath) ? fs7.readFileSync(attrFilePath, "utf-8") : "";
+        const attrContent = fs8.existsSync(attrFilePath) ? fs8.readFileSync(attrFilePath, "utf-8") : "";
         const gitattributes = attrContent.includes("merge=sops");
         return { gitConfig, gitattributes };
       }
       async ensureGitattributes(repoRoot) {
         const attrPath = path7.join(repoRoot, ".gitattributes");
         const mergeRule = "*.enc.yaml merge=sops\n*.enc.json merge=sops";
-        const existing = fs7.existsSync(attrPath) ? fs7.readFileSync(attrPath, "utf-8") : "";
+        const existing = fs8.existsSync(attrPath) ? fs8.readFileSync(attrPath, "utf-8") : "";
         if (existing.includes("merge=sops")) {
           return;
         }
@@ -12233,16 +12257,16 @@ function tryBundled() {
     const packageMain = require.resolve(`${packageName}/package.json`);
     const packageDir = path8.dirname(packageMain);
     const binPath = path8.join(packageDir, "bin", binName);
-    return fs8.existsSync(binPath) ? binPath : null;
+    return fs9.existsSync(binPath) ? binPath : null;
   } catch {
     return null;
   }
 }
-var fs8, path8;
+var fs9, path8;
 var init_bundled = __esm({
   "../core/src/sops/bundled.ts"() {
     "use strict";
-    fs8 = __toESM(require("fs"));
+    fs9 = __toESM(require("fs"));
     path8 = __toESM(require("path"));
   }
 });
@@ -12264,7 +12288,7 @@ function resolveSopsPath() {
   const envPath = process.env.CLEF_SOPS_PATH?.trim();
   if (envPath) {
     validateSopsPath(envPath);
-    if (!fs9.existsSync(envPath)) {
+    if (!fs10.existsSync(envPath)) {
       throw new Error(`CLEF_SOPS_PATH points to '${envPath}' but the file does not exist.`);
     }
     cached = { path: envPath, source: "env" };
@@ -12281,11 +12305,11 @@ function resolveSopsPath() {
 function resetSopsResolution() {
   cached = void 0;
 }
-var fs9, path9, cached;
+var fs10, path9, cached;
 var init_resolver = __esm({
   "../core/src/sops/resolver.ts"() {
     "use strict";
-    fs9 = __toESM(require("fs"));
+    fs10 = __toESM(require("fs"));
     path9 = __toESM(require("path"));
     init_bundled();
   }
@@ -19314,14 +19338,14 @@ function openWindowsInputPipe(content) {
     });
   });
 }
-var fs10, net, import_crypto, YAML5, SopsClient;
+var fs11, net, import_crypto, YAML6, SopsClient;
 var init_client = __esm({
   "../core/src/sops/client.ts"() {
     "use strict";
-    fs10 = __toESM(require("fs"));
+    fs11 = __toESM(require("fs"));
     net = __toESM(require("net"));
     import_crypto = require("crypto");
-    YAML5 = __toESM(require_dist());
+    YAML6 = __toESM(require_dist());
     init_types();
     init_checker();
     init_keygen();
@@ -19386,7 +19410,7 @@ var init_client = __esm({
         }
         let parsed;
         try {
-          parsed = YAML5.parse(result.stdout) ?? {};
+          parsed = YAML6.parse(result.stdout) ?? {};
         } catch {
           throw new SopsDecryptionError(
             `Decrypted content of '${filePath}' is not valid YAML.`,
@@ -19413,7 +19437,7 @@ var init_client = __esm({
       async encrypt(filePath, values, manifest, environment) {
         await assertSops(this.runner, this.sopsCommand);
         const fmt = formatFromPath(filePath);
-        const content = fmt === "json" ? JSON.stringify(values, null, 2) : YAML5.stringify(values);
+        const content = fmt === "json" ? JSON.stringify(values, null, 2) : YAML6.stringify(values);
         const args = this.buildEncryptArgs(filePath, manifest, environment);
         const env = this.buildSopsEnv();
         let inputArg;
@@ -19457,7 +19481,7 @@ var init_client = __esm({
           );
         }
         try {
-          fs10.writeFileSync(filePath, result.stdout);
+          fs11.writeFileSync(filePath, result.stdout);
         } catch {
           throw new SopsEncryptionError(`Failed to write encrypted data to '${filePath}'.`, filePath);
         }
@@ -19470,21 +19494,7 @@ var init_client = __esm({
        * @throws {@link SopsEncryptionError} On failure.
        */
       async reEncrypt(filePath, newKey) {
-        await assertSops(this.runner, this.sopsCommand);
-        const env = this.buildSopsEnv();
-        const result = await this.runner.run(
-          this.sopsCommand,
-          ["rotate", "-i", "--add-age", newKey, filePath],
-          {
-            ...env ? { env } : {}
-          }
-        );
-        if (result.exitCode !== 0) {
-          throw new SopsEncryptionError(
-            `Failed to re-encrypt '${filePath}': ${result.stderr.trim()}`,
-            filePath
-          );
-        }
+        await this.addRecipient(filePath, newKey);
       }
       /**
        * Add an age recipient to an existing SOPS file.
@@ -19587,7 +19597,7 @@ var init_client = __esm({
         if (!this.ageKey && !this.ageKeyFile) return "key-not-found";
         let keyContent;
         try {
-          keyContent = this.ageKey ?? fs10.readFileSync(this.ageKeyFile, "utf-8");
+          keyContent = this.ageKey ?? fs11.readFileSync(this.ageKeyFile, "utf-8");
         } catch {
           return "key-not-found";
         }
@@ -19604,7 +19614,7 @@ var init_client = __esm({
       parseMetadataFromFile(filePath) {
         let content;
         try {
-          content = fs10.readFileSync(filePath, "utf-8");
+          content = fs11.readFileSync(filePath, "utf-8");
         } catch {
           throw new SopsDecryptionError(
             `Could not read file '${filePath}' to extract SOPS metadata.`,
@@ -19613,7 +19623,7 @@ var init_client = __esm({
         }
         let parsed;
         try {
-          parsed = YAML5.parse(content);
+          parsed = YAML6.parse(content);
         } catch {
           throw new SopsDecryptionError(
             `File '${filePath}' is not valid YAML. Cannot extract SOPS metadata.`,
@@ -20080,7 +20090,7 @@ function detectFormat(filePath, content) {
   } catch {
   }
   try {
-    const parsed = YAML6.parse(content);
+    const parsed = YAML7.parse(content);
     if (parsed !== null && typeof parsed === "object" && !Array.isArray(parsed)) {
       return "yaml";
     }
@@ -20161,7 +20171,7 @@ function parseJson(content) {
 function parseYaml(content) {
   let parsed;
   try {
-    parsed = YAML6.parse(content);
+    parsed = YAML7.parse(content);
   } catch (err) {
     throw new Error(`Invalid YAML: ${err.message}`);
   }
@@ -20195,7 +20205,7 @@ function parseYaml(content) {
   }
   return { pairs, format: "yaml", skipped, warnings };
 }
-function parse7(content, format, filePath) {
+function parse8(content, format, filePath) {
   const resolved = format === "auto" ? detectFormat(filePath ?? "", content) : format;
   switch (resolved) {
     case "dotenv":
@@ -20206,12 +20216,12 @@ function parse7(content, format, filePath) {
       return parseYaml(content);
   }
 }
-var path11, YAML6;
+var path11, YAML7;
 var init_parsers = __esm({
   "../core/src/import/parsers.ts"() {
     "use strict";
     path11 = __toESM(require("path"));
-    YAML6 = __toESM(require_dist());
+    YAML7 = __toESM(require_dist());
   }
 });
 
@@ -20242,7 +20252,7 @@ var init_import = __esm({
           repoRoot,
           manifest.file_pattern.replace("{namespace}", ns).replace("{environment}", env)
         );
-        const parsed = parse7(content, options.format ?? "auto", sourcePath ?? "");
+        const parsed = parse8(content, options.format ?? "auto", sourcePath ?? "");
         let candidates = Object.entries(parsed.pairs);
         if (options.prefix) {
           const prefix = options.prefix;
@@ -20320,12 +20330,12 @@ function toRecipient(entry) {
 }
 function readManifestYaml(repoRoot) {
   const manifestPath = path13.join(repoRoot, CLEF_MANIFEST_FILENAME);
-  const raw = fs11.readFileSync(manifestPath, "utf-8");
-  return YAML7.parse(raw);
+  const raw = fs12.readFileSync(manifestPath, "utf-8");
+  return YAML8.parse(raw);
 }
 function writeManifestYaml(repoRoot, doc) {
   const manifestPath = path13.join(repoRoot, CLEF_MANIFEST_FILENAME);
-  fs11.writeFileSync(manifestPath, YAML7.stringify(doc), "utf-8");
+  fs12.writeFileSync(manifestPath, YAML8.stringify(doc), "utf-8");
 }
 function getRecipientsArray(doc) {
   const sops = doc.sops;
@@ -20373,13 +20383,13 @@ function ensureEnvironmentRecipientsArray(doc, envName) {
   }
   return env.recipients;
 }
-var fs11, path13, YAML7, RecipientManager;
+var fs12, path13, YAML8, RecipientManager;
 var init_recipients = __esm({
   "../core/src/recipients/index.ts"() {
     "use strict";
-    fs11 = __toESM(require("fs"));
+    fs12 = __toESM(require("fs"));
     path13 = __toESM(require("path"));
-    YAML7 = __toESM(require_dist());
+    YAML8 = __toESM(require_dist());
     init_validator();
     init_parser();
     RecipientManager = class {
@@ -20435,7 +20445,7 @@ var init_recipients = __esm({
           throw new Error(`Recipient '${keyPreview(normalizedKey)}' is already present.`);
         }
         const manifestPath = path13.join(repoRoot, CLEF_MANIFEST_FILENAME);
-        const manifestBackup = fs11.readFileSync(manifestPath, "utf-8");
+        const manifestBackup = fs12.readFileSync(manifestPath, "utf-8");
         const recipients = environment ? ensureEnvironmentRecipientsArray(doc, environment) : ensureRecipientsArray(doc);
         if (label) {
           recipients.push({ key: normalizedKey, label });
@@ -20450,16 +20460,16 @@ var init_recipients = __esm({
         const fileBackups = /* @__PURE__ */ new Map();
         for (const cell of cells) {
           try {
-            fileBackups.set(cell.filePath, fs11.readFileSync(cell.filePath, "utf-8"));
+            fileBackups.set(cell.filePath, fs12.readFileSync(cell.filePath, "utf-8"));
             await this.encryption.addRecipient(cell.filePath, normalizedKey);
             reEncryptedFiles.push(cell.filePath);
           } catch {
             failedFiles.push(cell.filePath);
-            fs11.writeFileSync(manifestPath, manifestBackup, "utf-8");
+            fs12.writeFileSync(manifestPath, manifestBackup, "utf-8");
             for (const reEncryptedFile of reEncryptedFiles) {
               const backup = fileBackups.get(reEncryptedFile);
               if (backup) {
-                fs11.writeFileSync(reEncryptedFile, backup, "utf-8");
+                fs12.writeFileSync(reEncryptedFile, backup, "utf-8");
               }
             }
             const restoredDoc = readManifestYaml(repoRoot);
@@ -20513,7 +20523,7 @@ var init_recipients = __esm({
         }
         const removedEntry = parsed[matchIndex];
         const manifestPath = path13.join(repoRoot, CLEF_MANIFEST_FILENAME);
-        const manifestBackup = fs11.readFileSync(manifestPath, "utf-8");
+        const manifestBackup = fs12.readFileSync(manifestPath, "utf-8");
         const recipients = environment ? ensureEnvironmentRecipientsArray(doc, environment) : ensureRecipientsArray(doc);
         recipients.splice(matchIndex, 1);
         writeManifestYaml(repoRoot, doc);
@@ -20524,16 +20534,16 @@ var init_recipients = __esm({
         const fileBackups = /* @__PURE__ */ new Map();
         for (const cell of cells) {
           try {
-            fileBackups.set(cell.filePath, fs11.readFileSync(cell.filePath, "utf-8"));
+            fileBackups.set(cell.filePath, fs12.readFileSync(cell.filePath, "utf-8"));
             await this.encryption.removeRecipient(cell.filePath, trimmedKey);
             reEncryptedFiles.push(cell.filePath);
           } catch {
             failedFiles.push(cell.filePath);
-            fs11.writeFileSync(manifestPath, manifestBackup, "utf-8");
+            fs12.writeFileSync(manifestPath, manifestBackup, "utf-8");
             for (const reEncryptedFile of reEncryptedFiles) {
               const backup = fileBackups.get(reEncryptedFile);
               if (backup) {
-                fs11.writeFileSync(reEncryptedFile, backup, "utf-8");
+                fs12.writeFileSync(reEncryptedFile, backup, "utf-8");
               }
             }
             const restoredDoc = readManifestYaml(repoRoot);
@@ -20575,9 +20585,9 @@ function requestsFilePath(repoRoot) {
 function loadRequests(repoRoot) {
   const filePath = requestsFilePath(repoRoot);
   try {
-    if (!fs12.existsSync(filePath)) return [];
-    const content = fs12.readFileSync(filePath, "utf-8");
-    const parsed = YAML8.parse(content);
+    if (!fs13.existsSync(filePath)) return [];
+    const content = fs13.readFileSync(filePath, "utf-8");
+    const parsed = YAML9.parse(content);
     if (!parsed || !Array.isArray(parsed.requests)) return [];
     return parsed.requests.map((r) => ({
       key: r.key,
@@ -20593,7 +20603,7 @@ function saveRequests(repoRoot, requests) {
   const filePath = requestsFilePath(repoRoot);
   if (requests.length === 0) {
     try {
-      fs12.unlinkSync(filePath);
+      fs13.unlinkSync(filePath);
     } catch {
     }
     return;
@@ -20609,7 +20619,7 @@ function saveRequests(repoRoot, requests) {
       return raw;
     })
   };
-  fs12.writeFileSync(filePath, HEADER_COMMENT2 + YAML8.stringify(data), "utf-8");
+  fs13.writeFileSync(filePath, HEADER_COMMENT2 + YAML9.stringify(data), "utf-8");
 }
 function upsertRequest(repoRoot, key, label, environment) {
   const requests = loadRequests(repoRoot);
@@ -20643,28 +20653,27 @@ function findInList(requests, identifier) {
   const byKey = requests.find((r) => r.key === identifier);
   return byKey ?? null;
 }
-var fs12, path14, YAML8, REQUESTS_FILENAME, HEADER_COMMENT2;
+var fs13, path14, YAML9, REQUESTS_FILENAME, HEADER_COMMENT2;
 var init_requests = __esm({
   "../core/src/recipients/requests.ts"() {
     "use strict";
-    fs12 = __toESM(require("fs"));
+    fs13 = __toESM(require("fs"));
     path14 = __toESM(require("path"));
-    YAML8 = __toESM(require_dist());
+    YAML9 = __toESM(require_dist());
     REQUESTS_FILENAME = ".clef-requests.yaml";
     HEADER_COMMENT2 = "# Pending recipient access requests. Approve with: clef recipients approve <label>\n";
   }
 });
 
 // ../core/src/drift/detector.ts
-var fs13, path15, YAML9, DriftDetector;
+var path15, DriftDetector;
 var init_detector = __esm({
   "../core/src/drift/detector.ts"() {
     "use strict";
-    fs13 = __toESM(require("fs"));
     path15 = __toESM(require("path"));
-    YAML9 = __toESM(require_dist());
     init_parser();
     init_manager();
+    init_keys();
     DriftDetector = class {
       parser = new ManifestParser();
       matrix = new MatrixManager();
@@ -20692,45 +20701,30 @@ var init_detector = __esm({
         }
         const issues = [];
         let namespacesClean = 0;
+        const remoteEnvSet = new Set(remoteEnvNames);
+        const sharedEnvSet = new Set(localEnvNames.filter((e) => remoteEnvSet.has(e)));
         for (const ns of sharedNamespaces) {
-          const keyEnvs = /* @__PURE__ */ new Map();
-          const allEnvs = /* @__PURE__ */ new Set();
-          const localNsCells = localCells.filter((c) => c.namespace === ns);
-          for (const cell of localNsCells) {
-            const keys = this.readKeysFromFile(cell.filePath);
-            if (keys === null) continue;
-            allEnvs.add(cell.environment);
-            for (const key of keys) {
-              if (!keyEnvs.has(key)) keyEnvs.set(key, /* @__PURE__ */ new Set());
-              keyEnvs.get(key).add(cell.environment);
-            }
-          }
-          const remoteNsCells = remoteCells.filter((c) => c.namespace === ns);
-          for (const cell of remoteNsCells) {
-            const keys = this.readKeysFromFile(cell.filePath);
-            if (keys === null) continue;
-            allEnvs.add(cell.environment);
-            for (const key of keys) {
-              if (!keyEnvs.has(key)) keyEnvs.set(key, /* @__PURE__ */ new Set());
-              keyEnvs.get(key).add(cell.environment);
-            }
-          }
-          const envList = [...allEnvs];
+          const localKeyEnvs = this.collectKeyEnvs(localCells, ns, sharedEnvSet);
+          const remoteKeyEnvs = this.collectKeyEnvs(remoteCells, ns, sharedEnvSet);
           let nsClean = true;
-          for (const [key, envSet] of keyEnvs) {
-            const missingFrom = envList.filter((e) => !envSet.has(e));
-            if (missingFrom.length > 0) {
-              nsClean = false;
-              const presentIn = [...envSet].sort();
-              issues.push({
-                namespace: ns,
-                key,
-                presentIn,
-                missingFrom: missingFrom.sort(),
-                message: `Key '${key}' in namespace '${ns}' exists in [${presentIn.join(", ")}] but is missing from [${missingFrom.sort().join(", ")}]`
-              });
+          const reportDrift = (sourceMap, targetMap, direction) => {
+            for (const [key, sourceEnvs] of sourceMap) {
+              const targetEnvs = targetMap.get(key);
+              const missingFrom = [...sourceEnvs].filter((e) => !targetEnvs?.has(e)).sort();
+              if (missingFrom.length > 0) {
+                nsClean = false;
+                issues.push({
+                  namespace: ns,
+                  key,
+                  presentIn: [...sourceEnvs].sort(),
+                  missingFrom,
+                  message: `Key '${key}' in namespace '${ns}' exists in ${direction} [${[...sourceEnvs].sort().join(", ")}] but is missing from [${missingFrom.join(", ")}]`
+                });
+              }
             }
-          }
+          };
+          reportDrift(remoteKeyEnvs, localKeyEnvs, "remote");
+          reportDrift(localKeyEnvs, remoteKeyEnvs, "local");
           if (nsClean) namespacesClean++;
         }
         return {
@@ -20741,22 +20735,18 @@ var init_detector = __esm({
           remoteEnvironments: remoteEnvNames
         };
       }
-      /**
-       * Read top-level key names from an encrypted SOPS YAML file,
-       * filtering out the `sops` metadata key.
-       *
-       * @returns Array of key names, or `null` if the file cannot be read.
-       */
-      readKeysFromFile(filePath) {
-        try {
-          if (!fs13.existsSync(filePath)) return null;
-          const raw = fs13.readFileSync(filePath, "utf-8");
-          const parsed = YAML9.parse(raw);
-          if (parsed === null || parsed === void 0 || typeof parsed !== "object") return null;
-          return Object.keys(parsed).filter((k) => k !== "sops");
-        } catch {
-          return null;
+      collectKeyEnvs(cells, ns, sharedEnvSet) {
+        const keyEnvs = /* @__PURE__ */ new Map();
+        for (const cell of cells) {
+          if (cell.namespace !== ns || !sharedEnvSet.has(cell.environment)) continue;
+          const keys = readSopsKeyNames(cell.filePath);
+          if (keys === null) continue;
+          for (const key of keys) {
+            if (!keyEnvs.has(key)) keyEnvs.set(key, /* @__PURE__ */ new Set());
+            keyEnvs.get(key).add(cell.environment);
+          }
         }
+        return keyEnvs;
       }
     };
   }
@@ -20902,19 +20892,18 @@ var init_sanitizer = __esm({
 });
 
 // ../core/src/report/generator.ts
-var fs14, path16, YAML10, ReportGenerator;
+var path16, ReportGenerator;
 var init_generator = __esm({
   "../core/src/report/generator.ts"() {
     "use strict";
-    fs14 = __toESM(require("fs"));
     path16 = __toESM(require("path"));
-    YAML10 = __toESM(require_dist());
     init_types();
     init_parser();
     init_runner();
     init_metadata();
     init_checker();
     init_sanitizer();
+    init_keys();
     ReportGenerator = class {
       constructor(runner2, sopsClient, matrixManager, schemaValidator) {
         this.runner = runner2;
@@ -21084,15 +21073,7 @@ var init_generator = __esm({
         };
       }
       readKeyCount(filePath) {
-        try {
-          if (!fs14.existsSync(filePath)) return 0;
-          const raw = fs14.readFileSync(filePath, "utf-8");
-          const parsed = YAML10.parse(raw);
-          if (parsed === null || parsed === void 0 || typeof parsed !== "object") return 0;
-          return Object.keys(parsed).filter((k) => k !== "sops").length;
-        } catch {
-          return 0;
-        }
+        return readSopsKeyNames(filePath)?.length ?? 0;
       }
       async buildPolicy(manifest, repoRoot) {
         try {
@@ -21459,14 +21440,14 @@ var init_driver = __esm({
 });
 
 // ../core/src/service-identity/manager.ts
-var fs15, os, path17, YAML11, PartialRotationError, ServiceIdentityManager;
+var fs14, os, path17, YAML10, PartialRotationError, ServiceIdentityManager;
 var init_manager2 = __esm({
   "../core/src/service-identity/manager.ts"() {
     "use strict";
-    fs15 = __toESM(require("fs"));
+    fs14 = __toESM(require("fs"));
     os = __toESM(require("os"));
     path17 = __toESM(require("path"));
-    YAML11 = __toESM(require_dist());
+    YAML10 = __toESM(require_dist());
     init_types();
     init_keygen();
     init_parser();
@@ -21521,8 +21502,8 @@ var init_manager2 = __esm({
         };
         await this.registerRecipients(definition, manifest, repoRoot);
         const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
-        const raw = fs15.readFileSync(manifestPath, "utf-8");
-        const doc = YAML11.parse(raw);
+        const raw = fs14.readFileSync(manifestPath, "utf-8");
+        const doc = YAML10.parse(raw);
         if (!Array.isArray(doc.service_identities)) {
           doc.service_identities = [];
         }
@@ -21534,11 +21515,11 @@ var init_manager2 = __esm({
         });
         const tmpCreate = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
         try {
-          fs15.writeFileSync(tmpCreate, YAML11.stringify(doc), "utf-8");
-          fs15.renameSync(tmpCreate, manifestPath);
+          fs14.writeFileSync(tmpCreate, YAML10.stringify(doc), "utf-8");
+          fs14.renameSync(tmpCreate, manifestPath);
         } finally {
           try {
-            fs15.unlinkSync(tmpCreate);
+            fs14.unlinkSync(tmpCreate);
           } catch {
           }
         }
@@ -21577,8 +21558,8 @@ var init_manager2 = __esm({
           }
         }
         const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
-        const raw = fs15.readFileSync(manifestPath, "utf-8");
-        const doc = YAML11.parse(raw);
+        const raw = fs14.readFileSync(manifestPath, "utf-8");
+        const doc = YAML10.parse(raw);
         const identities = doc.service_identities;
         if (Array.isArray(identities)) {
           doc.service_identities = identities.filter(
@@ -21587,11 +21568,11 @@ var init_manager2 = __esm({
         }
         const tmp = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
         try {
-          fs15.writeFileSync(tmp, YAML11.stringify(doc), "utf-8");
-          fs15.renameSync(tmp, manifestPath);
+          fs14.writeFileSync(tmp, YAML10.stringify(doc), "utf-8");
+          fs14.renameSync(tmp, manifestPath);
         } finally {
           try {
-            fs15.unlinkSync(tmp);
+            fs14.unlinkSync(tmp);
           } catch {
           }
         }
@@ -21607,8 +21588,8 @@ var init_manager2 = __esm({
           throw new Error(`Service identity '${name}' not found.`);
         }
         const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
-        const raw = fs15.readFileSync(manifestPath, "utf-8");
-        const doc = YAML11.parse(raw);
+        const raw = fs14.readFileSync(manifestPath, "utf-8");
+        const doc = YAML10.parse(raw);
         const identities = doc.service_identities;
         const siDoc = identities.find((si) => si.name === name);
         const envs = siDoc.environments;
@@ -21635,11 +21616,11 @@ var init_manager2 = __esm({
         }
         const tmp = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
         try {
-          fs15.writeFileSync(tmp, YAML11.stringify(doc), "utf-8");
-          fs15.renameSync(tmp, manifestPath);
+          fs14.writeFileSync(tmp, YAML10.stringify(doc), "utf-8");
+          fs14.renameSync(tmp, manifestPath);
         } finally {
           try {
-            fs15.unlinkSync(tmp);
+            fs14.unlinkSync(tmp);
           } catch {
           }
         }
@@ -21676,8 +21657,8 @@ var init_manager2 = __esm({
           throw new Error(`Service identity '${name}' not found.`);
         }
         const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
-        const raw = fs15.readFileSync(manifestPath, "utf-8");
-        const doc = YAML11.parse(raw);
+        const raw = fs14.readFileSync(manifestPath, "utf-8");
+        const doc = YAML10.parse(raw);
         const identities = doc.service_identities;
         const siDoc = identities.find((si) => si.name === name);
         const envs = siDoc.environments;
@@ -21732,11 +21713,11 @@ var init_manager2 = __esm({
         }
         const tmpRotate = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
         try {
-          fs15.writeFileSync(tmpRotate, YAML11.stringify(doc), "utf-8");
-          fs15.renameSync(tmpRotate, manifestPath);
+          fs14.writeFileSync(tmpRotate, YAML10.stringify(doc), "utf-8");
+          fs14.renameSync(tmpRotate, manifestPath);
         } finally {
           try {
-            fs15.unlinkSync(tmpRotate);
+            fs14.unlinkSync(tmpRotate);
           } catch {
           }
         }
@@ -21866,7 +21847,7 @@ var init_resolve = __esm({
 // ../core/src/artifact/signer.ts
 function buildSigningPayload(artifact) {
   const fields = [
-    "clef-sig-v1",
+    "clef-sig-v2",
     String(artifact.version),
     artifact.identity,
     artifact.environment,
@@ -21878,7 +21859,9 @@ function buildSigningPayload(artifact) {
     artifact.envelope?.provider ?? "",
     artifact.envelope?.keyId ?? "",
     artifact.envelope?.wrappedKey ?? "",
-    artifact.envelope?.algorithm ?? ""
+    artifact.envelope?.algorithm ?? "",
+    artifact.envelope?.iv ?? "",
+    artifact.envelope?.authTag ?? ""
   ];
   return Buffer.from(fields.join("\n"), "utf-8");
 }
@@ -21948,11 +21931,11 @@ var init_signer = __esm({
 });
 
 // ../core/src/artifact/packer.ts
-var fs16, path18, crypto4, ArtifactPacker;
+var fs15, path18, crypto4, ArtifactPacker;
 var init_packer = __esm({
   "../core/src/artifact/packer.ts"() {
     "use strict";
-    fs16 = __toESM(require("fs"));
+    fs15 = __toESM(require("fs"));
     path18 = __toESM(require("path"));
     crypto4 = __toESM(require("crypto"));
     init_types();
@@ -21989,37 +21972,41 @@ var init_packer = __esm({
           if (!this.kms) {
             throw new Error("KMS provider required for envelope encryption but none was provided.");
           }
-          const { generateIdentity, identityToRecipient, Encrypter } = await Promise.resolve().then(() => __toESM(require_age_encryption()));
-          const ephemeralPrivateKey = await generateIdentity();
-          const ephemeralPublicKey = await identityToRecipient(ephemeralPrivateKey);
+          const dek = crypto4.randomBytes(32);
+          const iv = crypto4.randomBytes(12);
           try {
-            const e = new Encrypter();
-            e.addRecipient(ephemeralPublicKey);
-            const encrypted = await e.encrypt(plaintext);
-            ciphertext = Buffer.from(encrypted).toString("base64");
-          } catch {
-            throw new Error("Failed to age-encrypt artifact with ephemeral key.");
+            const cipher = crypto4.createCipheriv("aes-256-gcm", dek, iv);
+            const ciphertextBuf = Buffer.concat([
+              cipher.update(Buffer.from(plaintext, "utf-8")),
+              cipher.final()
+            ]);
+            const authTag = cipher.getAuthTag();
+            ciphertext = ciphertextBuf.toString("base64");
+            const kmsConfig = resolved.envConfig.kms;
+            const wrapped = await this.kms.wrap(kmsConfig.keyId, dek);
+            const revision = `${Date.now()}-${crypto4.randomBytes(4).toString("hex")}`;
+            const ciphertextHash = crypto4.createHash("sha256").update(ciphertext).digest("hex");
+            artifact = {
+              version: 1,
+              identity: config.identity,
+              environment: config.environment,
+              packedAt: (/* @__PURE__ */ new Date()).toISOString(),
+              revision,
+              ciphertextHash,
+              ciphertext,
+              keys: Object.keys(resolved.values),
+              envelope: {
+                provider: kmsConfig.provider,
+                keyId: kmsConfig.keyId,
+                wrappedKey: wrapped.wrappedKey.toString("base64"),
+                algorithm: wrapped.algorithm,
+                iv: iv.toString("base64"),
+                authTag: authTag.toString("base64")
+              }
+            };
+          } finally {
+            dek.fill(0);
           }
-          const kmsConfig = resolved.envConfig.kms;
-          const wrapped = await this.kms.wrap(kmsConfig.keyId, Buffer.from(ephemeralPrivateKey));
-          const revision = `${Date.now()}-${crypto4.randomBytes(4).toString("hex")}`;
-          const ciphertextHash = crypto4.createHash("sha256").update(ciphertext).digest("hex");
-          artifact = {
-            version: 1,
-            identity: config.identity,
-            environment: config.environment,
-            packedAt: (/* @__PURE__ */ new Date()).toISOString(),
-            revision,
-            ciphertextHash,
-            ciphertext,
-            keys: Object.keys(resolved.values),
-            envelope: {
-              provider: kmsConfig.provider,
-              keyId: kmsConfig.keyId,
-              wrappedKey: wrapped.wrappedKey.toString("base64"),
-              algorithm: wrapped.algorithm
-            }
-          };
         } else {
           try {
             const { Encrypter } = await Promise.resolve().then(() => __toESM(require_age_encryption()));
@@ -22027,8 +22014,10 @@ var init_packer = __esm({
             e.addRecipient(resolved.recipient);
             const encrypted = await e.encrypt(plaintext);
             ciphertext = Buffer.from(encrypted).toString("base64");
-          } catch {
-            throw new Error("Failed to age-encrypt artifact. Check recipient key.");
+          } catch (err) {
+            throw new Error(
+              `Failed to age-encrypt artifact: ${err instanceof Error ? err.message : String(err)}`
+            );
           }
           const revision = `${Date.now()}-${crypto4.randomBytes(4).toString("hex")}`;
           const ciphertextHash = crypto4.createHash("sha256").update(ciphertext).digest("hex");
@@ -22044,8 +22033,8 @@ var init_packer = __esm({
           };
         }
         const outputDir = path18.dirname(config.outputPath);
-        if (!fs16.existsSync(outputDir)) {
-          fs16.mkdirSync(outputDir, { recursive: true });
+        if (!fs15.existsSync(outputDir)) {
+          fs15.mkdirSync(outputDir, { recursive: true });
         }
         if (config.ttl && config.ttl > 0) {
           artifact.expiresAt = new Date(Date.now() + config.ttl * 1e3).toISOString();
@@ -22064,8 +22053,8 @@ var init_packer = __esm({
         }
         const json = JSON.stringify(artifact, null, 2);
         const tmpOutput = `${config.outputPath}.tmp.${process.pid}`;
-        fs16.writeFileSync(tmpOutput, json, "utf-8");
-        fs16.renameSync(tmpOutput, config.outputPath);
+        fs15.writeFileSync(tmpOutput, json, "utf-8");
+        fs15.renameSync(tmpOutput, config.outputPath);
         return {
           outputPath: config.outputPath,
           namespaceCount: resolved.identity.namespaces.length,
@@ -22078,6 +22067,23 @@ var init_packer = __esm({
   }
 });
 
+// ../core/src/kms/types.ts
+var VALID_KMS_PROVIDERS;
+var init_types2 = __esm({
+  "../core/src/kms/types.ts"() {
+    "use strict";
+    VALID_KMS_PROVIDERS = ["aws", "gcp", "azure"];
+  }
+});
+
+// ../core/src/kms/index.ts
+var init_kms = __esm({
+  "../core/src/kms/index.ts"() {
+    "use strict";
+    init_types2();
+  }
+});
+
 // ../core/src/index.ts
 var src_exports = {};
 __export(src_exports, {
@@ -22117,6 +22123,7 @@ __export(src_exports, {
   SopsMergeDriver: () => SopsMergeDriver,
   SopsMissingError: () => SopsMissingError,
   SopsVersionError: () => SopsVersionError,
+  VALID_KMS_PROVIDERS: () => VALID_KMS_PROVIDERS,
   assertSops: () => assertSops,
   buildSigningPayload: () => buildSigningPayload,
   checkAll: () => checkAll,
@@ -22143,7 +22150,7 @@ __export(src_exports, {
   markResolved: () => markResolved,
   matchPatterns: () => matchPatterns,
   metadataPath: () => metadataPath,
-  parse: () => parse7,
+  parse: () => parse8,
   parseDotenv: () => parseDotenv,
   parseIgnoreContent: () => parseIgnoreContent,
   parseJson: () => parseJson,
@@ -22197,6 +22204,7 @@ var init_src = __esm({
     init_resolve();
     init_packer();
     init_signer();
+    init_kms();
   }
 });
 
@@ -22285,7 +22293,7 @@ var require_ms = __commonJS({
       options = options || {};
       var type = typeof val;
       if (type === "string" && val.length > 0) {
-        return parse16(val);
+        return parse15(val);
       } else if (type === "number" && isFinite(val)) {
         return options.long ? fmtLong(val) : fmtShort(val);
       }
@@ -22293,7 +22301,7 @@ var require_ms = __commonJS({
         "val is not a non-empty string or a valid number. val=" + JSON.stringify(val)
       );
     };
-    function parse16(str2) {
+    function parse15(str2) {
       str2 = String(str2);
       if (str2.length > 100) {
         return;
@@ -22752,7 +22760,7 @@ var require_has_flag = __commonJS({
 var require_supports_color = __commonJS({
   "../../node_modules/supports-color/index.js"(exports2, module2) {
     "use strict";
-    var os3 = require("os");
+    var os4 = require("os");
     var tty = require("tty");
     var hasFlag = require_has_flag();
     var { env } = process;
@@ -22800,7 +22808,7 @@ var require_supports_color = __commonJS({
         return min;
       }
       if (process.platform === "win32") {
-        const osRelease = os3.release().split(".");
+        const osRelease = os4.release().split(".");
         if (Number(osRelease[0]) >= 10 && Number(osRelease[2]) >= 10586) {
           return Number(osRelease[2]) >= 14931 ? 3 : 2;
         }
@@ -23732,7 +23740,7 @@ var require_bytes = __commonJS({
     "use strict";
     module2.exports = bytes;
     module2.exports.format = format;
-    module2.exports.parse = parse16;
+    module2.exports.parse = parse15;
     var formatThousandsRegExp = /\B(?=(\d{3})+(?!\d))/g;
     var formatDecimalsRegExp = /(?:\.0*|(\.[^0]+)0+)$/;
     var map = {
@@ -23746,7 +23754,7 @@ var require_bytes = __commonJS({
     var parseRegExp = /^((-|\+)?(\d+(?:\.\d+)?)) *(kb|mb|gb|tb|pb)$/i;
     function bytes(value, options) {
       if (typeof value === "string") {
-        return parse16(value);
+        return parse15(value);
       }
       if (typeof value === "number") {
         return format(value, options);
@@ -23790,7 +23798,7 @@ var require_bytes = __commonJS({
       }
       return str2 + unitSeparator + unit;
     }
-    function parse16(val) {
+    function parse15(val) {
       if (typeof val === "number" && !isNaN(val)) {
         return val;
       }
@@ -27995,7 +28003,7 @@ var require_content_type = __commonJS({
     var QUOTE_REGEXP = /([\\"])/g;
     var TYPE_REGEXP = /^[!#$%&'*+.^_`|~0-9A-Za-z-]+\/[!#$%&'*+.^_`|~0-9A-Za-z-]+$/;
     exports2.format = format;
-    exports2.parse = parse16;
+    exports2.parse = parse15;
     function format(obj) {
       if (!obj || typeof obj !== "object") {
         throw new TypeError("argument obj is required");
@@ -28019,7 +28027,7 @@ var require_content_type = __commonJS({
       }
       return string;
     }
-    function parse16(string) {
+    function parse15(string) {
       if (!string) {
         throw new TypeError("argument string is required");
       }
@@ -37601,7 +37609,7 @@ var require_media_typer = __commonJS({
     var TYPE_NAME_REGEXP = /^[A-Za-z0-9][A-Za-z0-9!#$&^_-]{0,126}$/;
     var TYPE_REGEXP = /^ *([A-Za-z0-9][A-Za-z0-9!#$&^_-]{0,126})\/([A-Za-z0-9][A-Za-z0-9!#$&^_.+-]{0,126}) *$/;
     exports2.format = format;
-    exports2.parse = parse16;
+    exports2.parse = parse15;
     exports2.test = test;
     function format(obj) {
       if (!obj || typeof obj !== "object") {
@@ -37634,7 +37642,7 @@ var require_media_typer = __commonJS({
       }
       return TYPE_REGEXP.test(string.toLowerCase());
     }
-    function parse16(string) {
+    function parse15(string) {
       if (!string) {
         throw new TypeError("argument string is required");
       }
@@ -37820,7 +37828,7 @@ var require_read = __commonJS({
     var hasBody = require_type_is().hasBody;
     var { getCharset } = require_utils();
     module2.exports = read;
-    function read(req, res, next, parse16, debug, options) {
+    function read(req, res, next, parse15, debug, options) {
       if (onFinished.isFinished(req)) {
         debug("body already parsed");
         next();
@@ -37908,7 +37916,7 @@ var require_read = __commonJS({
         try {
           debug("parse body");
           str2 = typeof body !== "string" && encoding !== null ? iconv.decode(body, encoding) : body;
-          req.body = parse16(str2, encoding);
+          req.body = parse15(str2, encoding);
         } catch (err) {
           next(createError(400, err, {
             body: str2,
@@ -37981,7 +37989,7 @@ var require_json = __commonJS({
       const normalizedOptions = normalizeOptions(options, "application/json");
       var reviver = options?.reviver;
       var strict = options?.strict !== false;
-      function parse16(body) {
+      function parse15(body) {
         if (body.length === 0) {
           return {};
         }
@@ -38008,7 +38016,7 @@ var require_json = __commonJS({
         isValidCharset: (charset) => charset.slice(0, 4) === "utf-"
       };
       return function jsonParser(req, res, next) {
-        read(req, res, next, parse16, debug, readOptions);
+        read(req, res, next, parse15, debug, readOptions);
       };
     }
     function createStrictSyntaxError(str2, char) {
@@ -40586,11 +40594,11 @@ var require_lib2 = __commonJS({
   "../../node_modules/qs/lib/index.js"(exports2, module2) {
     "use strict";
     var stringify7 = require_stringify2();
-    var parse16 = require_parse();
+    var parse15 = require_parse();
     var formats = require_formats();
     module2.exports = {
       formats,
-      parse: parse16,
+      parse: parse15,
       stringify: stringify7
     };
   }
@@ -40612,7 +40620,7 @@ var require_urlencoded = __commonJS({
         throw new TypeError("option defaultCharset must be either utf-8 or iso-8859-1");
       }
       var queryparse = createQueryParser(options);
-      function parse16(body, encoding) {
+      function parse15(body, encoding) {
         return body.length ? queryparse(body, encoding) : {};
       }
       const readOptions = {
@@ -40621,7 +40629,7 @@ var require_urlencoded = __commonJS({
         isValidCharset: (charset) => charset === "utf-8" || charset === "iso-8859-1"
       };
       return function urlencodedParser(req, res, next) {
-        read(req, res, next, parse16, debug, readOptions);
+        read(req, res, next, parse15, debug, readOptions);
       };
     }
     function createQueryParser(options) {
@@ -40805,7 +40813,7 @@ var require_parseurl = __commonJS({
   "../../node_modules/parseurl/index.js"(exports2, module2) {
     "use strict";
     var url = require("url");
-    var parse16 = url.parse;
+    var parse15 = url.parse;
     var Url = url.Url;
     module2.exports = parseurl;
     module2.exports.original = originalurl;
@@ -40837,7 +40845,7 @@ var require_parseurl = __commonJS({
     }
     function fastparse(str2) {
       if (typeof str2 !== "string" || str2.charCodeAt(0) !== 47) {
-        return parse16(str2);
+        return parse15(str2);
       }
       var pathname = str2;
       var query = null;
@@ -40865,7 +40873,7 @@ var require_parseurl = __commonJS({
           /* #  */
           case 160:
           case 65279:
-            return parse16(str2);
+            return parse15(str2);
         }
       }
       var url2 = Url !== void 0 ? new Url() : {};
@@ -41017,7 +41025,7 @@ var require_view = __commonJS({
     "use strict";
     var debug = require_src()("express:view");
     var path44 = require("node:path");
-    var fs27 = require("node:fs");
+    var fs26 = require("node:fs");
     var dirname7 = path44.dirname;
     var basename5 = path44.basename;
     var extname2 = path44.extname;
@@ -41097,7 +41105,7 @@ var require_view = __commonJS({
     function tryStat(path45) {
       debug('stat "%s"', path45);
       try {
-        return fs27.statSync(path45);
+        return fs26.statSync(path45);
       } catch (e) {
         return void 0;
       }
@@ -50661,7 +50669,7 @@ var require_forwarded = __commonJS({
       if (!req) {
         throw new TypeError("argument req is required");
       }
-      var proxyAddrs = parse16(req.headers["x-forwarded-for"] || "");
+      var proxyAddrs = parse15(req.headers["x-forwarded-for"] || "");
       var socketAddr = getSocketAddr(req);
       var addrs = [socketAddr].concat(proxyAddrs);
       return addrs;
@@ -50669,7 +50677,7 @@ var require_forwarded = __commonJS({
     function getSocketAddr(req) {
       return req.socket ? req.socket.remoteAddress : req.connection.remoteAddress;
     }
-    function parse16(header) {
+    function parse15(header) {
       var end = header.length;
       var list = [];
       var start = header.length;
@@ -51698,7 +51706,7 @@ var require_dist2 = __commonJS({
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.PathError = exports2.TokenData = void 0;
-    exports2.parse = parse16;
+    exports2.parse = parse15;
     exports2.compile = compile;
     exports2.match = match;
     exports2.pathToRegexp = pathToRegexp;
@@ -51744,7 +51752,7 @@ var require_dist2 = __commonJS({
       }
     };
     exports2.PathError = PathError;
-    function parse16(str2, options = {}) {
+    function parse15(str2, options = {}) {
       const { encodePath = NOOP_VALUE } = options;
       const chars = [...str2];
       const tokens = [];
@@ -51834,7 +51842,7 @@ var require_dist2 = __commonJS({
     }
     function compile(path44, options = {}) {
       const { encode = encodeURIComponent, delimiter = DEFAULT_DELIMITER } = options;
-      const data = typeof path44 === "object" ? path44 : parse16(path44, options);
+      const data = typeof path44 === "object" ? path44 : parse15(path44, options);
       const fn = tokensToFunction(data.tokens, delimiter, encode);
       return function path45(params = {}) {
         const [path46, ...missing] = fn(params);
@@ -51929,7 +51937,7 @@ var require_dist2 = __commonJS({
       const flags = sensitive ? "" : "i";
       const sources = [];
       for (const input of pathsToArray(path44, [])) {
-        const data = typeof input === "object" ? input : parse16(input, options);
+        const data = typeof input === "object" ? input : parse15(input, options);
         for (const tokens of flatten(data.tokens, 0, [])) {
           sources.push(toRegExpSource(tokens, delimiter, keys, data.originalPath));
         }
@@ -63238,7 +63246,7 @@ var require_request = __commonJS({
     var http = require("node:http");
     var fresh = require_fresh();
     var parseRange = require_range_parser();
-    var parse16 = require_parseurl();
+    var parse15 = require_parseurl();
     var proxyaddr = require_proxy_addr();
     var req = Object.create(http.IncomingMessage.prototype);
     module2.exports = req;
@@ -63283,7 +63291,7 @@ var require_request = __commonJS({
       if (!queryparse) {
         return /* @__PURE__ */ Object.create(null);
       }
-      var querystring = parse16(this).query;
+      var querystring = parse15(this).query;
       return queryparse(querystring);
     });
     req.is = function is(types) {
@@ -63327,7 +63335,7 @@ var require_request = __commonJS({
       return subdomains2.slice(offset);
     });
     defineGetter(req, "path", function path44() {
-      return parse16(this).pathname;
+      return parse15(this).pathname;
     });
     defineGetter(req, "host", function host() {
       var trust = this.app.get("trust proxy fn");
@@ -63381,7 +63389,7 @@ var require_content_disposition = __commonJS({
   "../../node_modules/content-disposition/index.js"(exports2, module2) {
     "use strict";
     module2.exports = contentDisposition;
-    module2.exports.parse = parse16;
+    module2.exports.parse = parse15;
     var basename5 = require("path").basename;
     var ENCODE_URL_ATTR_CHAR_REGEXP = /[\x00-\x20"'()*,/:;<=>?@[\\\]{}\x7f]/g;
     var HEX_ESCAPE_REGEXP = /%[0-9A-Fa-f]{2}/;
@@ -63472,7 +63480,7 @@ var require_content_disposition = __commonJS({
     function getlatin1(val) {
       return String(val).replace(NON_LATIN1_REGEXP, "?");
     }
-    function parse16(string) {
+    function parse15(string) {
       if (!string || typeof string !== "string") {
         throw new TypeError("argument string is required");
       }
@@ -63561,7 +63569,7 @@ var require_cookie_signature = __commonJS({
 var require_cookie = __commonJS({
   "../../node_modules/cookie/index.js"(exports2) {
     "use strict";
-    exports2.parse = parse16;
+    exports2.parse = parse15;
     exports2.serialize = serialize;
     var __toString = Object.prototype.toString;
     var __hasOwnProperty = Object.prototype.hasOwnProperty;
@@ -63569,7 +63577,7 @@ var require_cookie = __commonJS({
     var cookieValueRegExp = /^("?)[\u0021\u0023-\u002B\u002D-\u003A\u003C-\u005B\u005D-\u007E]*\1$/;
     var domainValueRegExp = /^([.]?[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)([.][a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)*$/i;
     var pathValueRegExp = /^[\u0020-\u003A\u003D-\u007E]*$/;
-    function parse16(str2, opt) {
+    function parse15(str2, opt) {
       if (typeof str2 !== "string") {
         throw new TypeError("argument str must be a string");
       }
@@ -73238,7 +73246,7 @@ var require_send = __commonJS({
     var escapeHtml = require_escape_html();
     var etag = require_etag();
     var fresh = require_fresh();
-    var fs27 = require("fs");
+    var fs26 = require("fs");
     var mime = require_mime_types4();
     var ms = require_ms();
     var onFinished = require_on_finished();
@@ -73520,7 +73528,7 @@ var require_send = __commonJS({
       var i = 0;
       var self = this;
       debug('stat "%s"', path45);
-      fs27.stat(path45, function onstat(err, stat) {
+      fs26.stat(path45, function onstat(err, stat) {
         var pathEndsWithSep = path45[path45.length - 1] === sep;
         if (err && err.code === "ENOENT" && !extname2(path45) && !pathEndsWithSep) {
           return next(err);
@@ -73537,7 +73545,7 @@ var require_send = __commonJS({
         }
         var p = path45 + "." + self._extensions[i++];
         debug('stat "%s"', p);
-        fs27.stat(p, function(err2, stat) {
+        fs26.stat(p, function(err2, stat) {
           if (err2) return next(err2);
           if (stat.isDirectory()) return next();
           self.emit("file", p, stat);
@@ -73555,7 +73563,7 @@ var require_send = __commonJS({
         }
         var p = join39(path45, self._index[i]);
         debug('stat "%s"', p);
-        fs27.stat(p, function(err2, stat) {
+        fs26.stat(p, function(err2, stat) {
           if (err2) return next(err2);
           if (stat.isDirectory()) return next();
           self.emit("file", p, stat);
@@ -73567,7 +73575,7 @@ var require_send = __commonJS({
     SendStream.prototype.stream = function stream(path45, options) {
       var self = this;
       var res = this.res;
-      var stream2 = fs27.createReadStream(path45, options);
+      var stream2 = fs26.createReadStream(path45, options);
       this.emit("stream", stream2);
       stream2.pipe(res);
       function cleanup() {
@@ -73725,7 +73733,7 @@ var require_vary = __commonJS({
       if (!field) {
         throw new TypeError("field argument is required");
       }
-      var fields = !Array.isArray(field) ? parse16(String(field)) : field;
+      var fields = !Array.isArray(field) ? parse15(String(field)) : field;
       for (var j = 0; j < fields.length; j++) {
         if (!FIELD_NAME_REGEXP.test(fields[j])) {
           throw new TypeError("field argument contains an invalid header name");
@@ -73735,7 +73743,7 @@ var require_vary = __commonJS({
         return header;
       }
       var val = header;
-      var vals = parse16(header.toLowerCase());
+      var vals = parse15(header.toLowerCase());
       if (fields.indexOf("*") !== -1 || vals.indexOf("*") !== -1) {
         return "*";
       }
@@ -73748,7 +73756,7 @@ var require_vary = __commonJS({
       }
       return val;
     }
-    function parse16(header) {
+    function parse15(header) {
       var end = 0;
       var list = [];
       var start = 0;
@@ -75253,7 +75261,7 @@ var require_api = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.createApiRouter = createApiRouter;
     var path44 = __importStar(require("path"));
-    var os3 = __importStar(require("os"));
+    var os4 = __importStar(require("os"));
     var child_process_1 = require("child_process");
     var express_1 = require_express2();
     var _useStdinFifo = process.platform === "linux" && !process.env.JEST_WORKER_ID;
@@ -75273,7 +75281,7 @@ var require_api = __commonJS({
               env: { SOPS_CONFIG: path44.join(deps2.repoRoot, ".sops.yaml"), ...opts?.env }
             });
           }
-          const fifoDir = (0, child_process_1.execFileSync)("mktemp", ["-d", path44.join(os3.tmpdir(), "clef-fifo-XXXXXX")]).toString().trim();
+          const fifoDir = (0, child_process_1.execFileSync)("mktemp", ["-d", path44.join(os4.tmpdir(), "clef-fifo-XXXXXX")]).toString().trim();
           const fifoPath = path44.join(fifoDir, "input");
           (0, child_process_1.execFileSync)("mkfifo", [fifoPath]);
           const writer = (0, child_process_1.spawn)("dd", [`of=${fifoPath}`, "status=none"], {
@@ -75307,6 +75315,7 @@ var require_api = __commonJS({
       const git = new core_1.GitIntegration(deps2.runner);
       const scanRunner = new core_1.ScanRunner(deps2.runner);
       const recipientManager = new core_1.RecipientManager(sops, matrix);
+      const serviceIdManager = new core_1.ServiceIdentityManager(sops, matrix);
       const bulkOps = new core_1.BulkOps();
       let lastScanResult = null;
       let lastScanAt = null;
@@ -75314,6 +75323,10 @@ var require_api = __commonJS({
         const manifestPath = `${deps2.repoRoot}/clef.yaml`;
         return parser.parse(manifestPath);
       }
+      function zeroStringRecord(record) {
+        for (const k of Object.keys(record))
+          record[k] = "";
+      }
       function setNoCacheHeaders(res) {
         res.set({
           "Cache-Control": "no-store, no-cache, must-revalidate",
@@ -75555,6 +75568,14 @@ var require_api = __commonJS({
             return;
           }
           const result = await diffEngine.diffFiles(ns, envA, envB, manifest, sops, deps2.repoRoot);
+          if (req.query.showValues !== "true") {
+            for (const row of result.rows) {
+              if (row.valueA !== null)
+                row.valueA = "\u25CF\u25CF\u25CF\u25CF\u25CF\u25CF\u25CF\u25CF";
+              if (row.valueB !== null)
+                row.valueB = "\u25CF\u25CF\u25CF\u25CF\u25CF\u25CF\u25CF\u25CF";
+            }
+          }
           res.json(result);
         } catch {
           res.status(500).json({ error: "Failed to compute diff", code: "DIFF_ERROR" });
@@ -75883,6 +75904,100 @@ var require_api = __commonJS({
           res.status(500).json({ error: message, code: "SERVICE_IDENTITY_ERROR" });
         }
       });
+      router.post("/service-identities", async (req, res) => {
+        try {
+          const manifest = loadManifest();
+          const { name, description, namespaces, kmsEnvConfigs } = req.body;
+          if (!name || typeof name !== "string") {
+            res.status(400).json({ error: "name is required.", code: "BAD_REQUEST" });
+            return;
+          }
+          if (!Array.isArray(namespaces) || namespaces.length === 0) {
+            res.status(400).json({ error: "namespaces must be a non-empty array.", code: "BAD_REQUEST" });
+            return;
+          }
+          let typedKmsConfigs;
+          if (kmsEnvConfigs && Object.keys(kmsEnvConfigs).length > 0) {
+            typedKmsConfigs = {};
+            for (const [envName, cfg] of Object.entries(kmsEnvConfigs)) {
+              if (!core_1.VALID_KMS_PROVIDERS.includes(cfg.provider)) {
+                res.status(400).json({
+                  error: `Invalid KMS provider '${cfg.provider}' for environment '${envName}'. Must be aws, gcp, or azure.`,
+                  code: "BAD_REQUEST"
+                });
+                return;
+              }
+              typedKmsConfigs[envName] = {
+                provider: cfg.provider,
+                keyId: cfg.keyId
+              };
+            }
+          }
+          const result = await serviceIdManager.create(name, namespaces, description ?? "", manifest, deps2.repoRoot, typedKmsConfigs);
+          setNoCacheHeaders(res);
+          res.json({ identity: result.identity, privateKeys: result.privateKeys });
+          zeroStringRecord(result.privateKeys);
+        } catch (err) {
+          const message = err instanceof Error ? err.message : "Failed to create service identity";
+          res.status(500).json({ error: message, code: "SERVICE_IDENTITY_ERROR" });
+        }
+      });
+      router.delete("/service-identities/:name", async (req, res) => {
+        try {
+          const name = req.params.name;
+          const manifest = loadManifest();
+          if (!manifest.service_identities?.find((si) => si.name === name)) {
+            res.status(404).json({ error: `Service identity '${name}' not found.`, code: "NOT_FOUND" });
+            return;
+          }
+          await serviceIdManager.delete(name, manifest, deps2.repoRoot);
+          res.json({ ok: true });
+        } catch (err) {
+          const message = err instanceof Error ? err.message : "Failed to delete service identity";
+          res.status(500).json({ error: message, code: "SERVICE_IDENTITY_ERROR" });
+        }
+      });
+      router.patch("/service-identities/:name", async (req, res) => {
+        try {
+          const name = req.params.name;
+          const { kmsEnvConfigs } = req.body;
+          if (!kmsEnvConfigs || Object.keys(kmsEnvConfigs).length === 0) {
+            res.status(400).json({ error: "kmsEnvConfigs must be a non-empty object.", code: "BAD_REQUEST" });
+            return;
+          }
+          const manifest = loadManifest();
+          const typedKmsConfigs = {};
+          for (const [envName, cfg] of Object.entries(kmsEnvConfigs)) {
+            if (cfg.provider !== "aws" && cfg.provider !== "gcp" && cfg.provider !== "azure") {
+              res.status(400).json({
+                error: `Invalid KMS provider '${cfg.provider}' for environment '${envName}'. Must be aws, gcp, or azure.`,
+                code: "BAD_REQUEST"
+              });
+              return;
+            }
+            typedKmsConfigs[envName] = { provider: cfg.provider, keyId: cfg.keyId };
+          }
+          await serviceIdManager.updateEnvironments(name, typedKmsConfigs, manifest, deps2.repoRoot);
+          res.json({ ok: true });
+        } catch (err) {
+          const message = err instanceof Error ? err.message : "Failed to update service identity";
+          res.status(500).json({ error: message, code: "SERVICE_IDENTITY_ERROR" });
+        }
+      });
+      router.post("/service-identities/:name/rotate", async (req, res) => {
+        try {
+          const name = req.params.name;
+          const { environment } = req.body;
+          const manifest = loadManifest();
+          const privateKeys = await serviceIdManager.rotateKey(name, manifest, deps2.repoRoot, environment);
+          setNoCacheHeaders(res);
+          res.json({ privateKeys });
+          zeroStringRecord(privateKeys);
+        } catch (err) {
+          const message = err instanceof Error ? err.message : "Failed to rotate service identity key";
+          res.status(500).json({ error: message, code: "SERVICE_IDENTITY_ERROR" });
+        }
+      });
       function dispose() {
         lastScanResult = null;
         lastScanAt = null;
@@ -76038,7 +76153,7 @@ var require_server = __commonJS({
         const resolvedClientDir = clientDir ?? path44.resolve(__dirname, "../client");
         app.use(staticLimiter, express_1.default.static(resolvedClientDir));
         app.get("/{*splat}", staticLimiter, (_req, res) => {
-          res.sendFile(path44.join(resolvedClientDir, "index.html"));
+          res.sendFile("index.html", { root: resolvedClientDir });
         });
       }
       const url = `http://127.0.0.1:${port}`;
@@ -76092,6 +76207,11 @@ var require_secrets_cache = __commonJS({
       snapshot = null;
       /** Replace the cached secrets in a single reference assignment. */
       swap(values, keys, revision) {
+        if (this.snapshot) {
+          for (const k of Object.keys(this.snapshot.values)) {
+            this.snapshot.values[k] = "";
+          }
+        }
         this.snapshot = { values: { ...values }, keys: [...keys], revision, swappedAt: Date.now() };
       }
       /** Whether the cache has exceeded the given TTL (seconds). */
@@ -76100,8 +76220,13 @@ var require_secrets_cache = __commonJS({
           return false;
         return (Date.now() - this.snapshot.swappedAt) / 1e3 > ttlSeconds;
       }
-      /** Clear the cached snapshot. */
+      /** Clear the cached snapshot, zeroing values first (best-effort). */
       wipe() {
+        if (this.snapshot) {
+          for (const k of Object.keys(this.snapshot.values)) {
+            this.snapshot.values[k] = "";
+          }
+        }
         this.snapshot = null;
       }
       /** Epoch ms when the cache was last swapped, or null if never loaded. */
@@ -76180,7 +76305,7 @@ var require_disk_cache = __commonJS({
     })();
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.DiskCache = void 0;
-    var fs27 = __importStar(require("fs"));
+    var fs26 = __importStar(require("fs"));
     var path44 = __importStar(require("path"));
     var DiskCache = class {
       artifactPath;
@@ -76193,39 +76318,35 @@ var require_disk_cache = __commonJS({
       /** Write an artifact and optional metadata to disk (atomic via tmp+rename). */
       write(raw, sha) {
         const dir = path44.dirname(this.artifactPath);
-        fs27.mkdirSync(dir, { recursive: true });
+        fs26.mkdirSync(dir, { recursive: true });
         const tmpArtifact = `${this.artifactPath}.tmp.${process.pid}`;
-        fs27.writeFileSync(tmpArtifact, raw, "utf-8");
-        fs27.renameSync(tmpArtifact, this.artifactPath);
+        fs26.writeFileSync(tmpArtifact, raw, "utf-8");
+        fs26.renameSync(tmpArtifact, this.artifactPath);
         const meta = { sha, fetchedAt: (/* @__PURE__ */ new Date()).toISOString() };
         const tmpMeta = `${this.metaPath}.tmp.${process.pid}`;
-        fs27.writeFileSync(tmpMeta, JSON.stringify(meta), "utf-8");
-        fs27.renameSync(tmpMeta, this.metaPath);
+        fs26.writeFileSync(tmpMeta, JSON.stringify(meta), "utf-8");
+        fs26.renameSync(tmpMeta, this.metaPath);
       }
       /** Read the cached artifact. Returns null if no cache file exists. */
       read() {
         try {
-          return fs27.readFileSync(this.artifactPath, "utf-8");
+          return fs26.readFileSync(this.artifactPath, "utf-8");
         } catch {
           return null;
         }
       }
       /** Get the SHA from the cached metadata, if available. */
       getCachedSha() {
-        try {
-          const raw = fs27.readFileSync(this.metaPath, "utf-8");
-          const meta = JSON.parse(raw);
-          return meta.sha;
-        } catch {
-          return void 0;
-        }
+        return this.readMeta()?.sha;
       }
       /** Get the fetchedAt timestamp from metadata, if available. */
       getFetchedAt() {
+        return this.readMeta()?.fetchedAt;
+      }
+      readMeta() {
         try {
-          const raw = fs27.readFileSync(this.metaPath, "utf-8");
-          const meta = JSON.parse(raw);
-          return meta.fetchedAt;
+          const raw = fs26.readFileSync(this.metaPath, "utf-8");
+          return JSON.parse(raw);
         } catch {
           return void 0;
         }
@@ -76233,11 +76354,11 @@ var require_disk_cache = __commonJS({
       /** Remove cached artifact and metadata files. */
       purge() {
         try {
-          fs27.unlinkSync(this.artifactPath);
+          fs26.unlinkSync(this.artifactPath);
         } catch {
         }
         try {
-          fs27.unlinkSync(this.metaPath);
+          fs26.unlinkSync(this.metaPath);
         } catch {
         }
       }
@@ -76289,7 +76410,7 @@ var require_decrypt = __commonJS({
     })();
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.AgeDecryptor = void 0;
-    var fs27 = __importStar(require("fs"));
+    var fs26 = __importStar(require("fs"));
     var AgeDecryptor = class {
       /**
        * Decrypt an age-encrypted PEM-armored ciphertext string.
@@ -76315,7 +76436,7 @@ var require_decrypt = __commonJS({
         if (ageKey)
           return ageKey.trim();
         if (ageKeyFile) {
-          const content = fs27.readFileSync(ageKeyFile, "utf-8").trim();
+          const content = fs26.readFileSync(ageKeyFile, "utf-8").trim();
           const lines = content.split("\n").filter((l) => l.startsWith("AGE-SECRET-KEY-"));
           if (lines.length === 0) {
             throw new Error(`No age secret key found in file: ${ageKeyFile}`);
@@ -76647,6 +76768,147 @@ var require_kms = __commonJS({
   }
 });
 
+// ../runtime/dist/artifact-decryptor.js
+var require_artifact_decryptor = __commonJS({
+  "../runtime/dist/artifact-decryptor.js"(exports2) {
+    "use strict";
+    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      var desc = Object.getOwnPropertyDescriptor(m, k);
+      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+        desc = { enumerable: true, get: function() {
+          return m[k];
+        } };
+      }
+      Object.defineProperty(o, k2, desc);
+    }) : (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      o[k2] = m[k];
+    }));
+    var __setModuleDefault = exports2 && exports2.__setModuleDefault || (Object.create ? (function(o, v) {
+      Object.defineProperty(o, "default", { enumerable: true, value: v });
+    }) : function(o, v) {
+      o["default"] = v;
+    });
+    var __importStar = exports2 && exports2.__importStar || /* @__PURE__ */ (function() {
+      var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function(o2) {
+          var ar = [];
+          for (var k in o2) if (Object.prototype.hasOwnProperty.call(o2, k)) ar[ar.length] = k;
+          return ar;
+        };
+        return ownKeys(o);
+      };
+      return function(mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) {
+          for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        }
+        __setModuleDefault(result, mod);
+        return result;
+      };
+    })();
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.ArtifactDecryptor = void 0;
+    var crypto6 = __importStar(require("crypto"));
+    var decrypt_1 = require_decrypt();
+    var kms_1 = require_kms();
+    var ArtifactDecryptor = class {
+      ageDecryptor = new decrypt_1.AgeDecryptor();
+      privateKey;
+      telemetryOverride;
+      initialTelemetry;
+      constructor(options) {
+        this.privateKey = options.privateKey;
+        this.initialTelemetry = options.telemetry;
+      }
+      /** Set or replace the telemetry emitter. */
+      setTelemetry(emitter) {
+        this.telemetryOverride = emitter;
+      }
+      get telemetry() {
+        return this.telemetryOverride ?? this.initialTelemetry;
+      }
+      /**
+       * Decrypt an artifact envelope into plaintext key-value pairs.
+       *
+       * @throws On KMS unwrap failure, AES-GCM auth failure, age decrypt failure,
+       *         missing private key (config error), or malformed plaintext JSON.
+       */
+      async decrypt(artifact) {
+        let plaintext;
+        if (artifact.envelope) {
+          plaintext = await this.decryptKmsEnvelope(artifact);
+        } else {
+          plaintext = await this.decryptAge(artifact);
+        }
+        let values;
+        try {
+          values = JSON.parse(plaintext);
+        } catch (err) {
+          this.telemetry?.artifactInvalid({
+            reason: "payload_parse",
+            error: err instanceof Error ? err.message : String(err)
+          });
+          throw err;
+        } finally {
+          plaintext = "";
+        }
+        return { values, keys: artifact.keys, revision: artifact.revision };
+      }
+      /** KMS envelope: unwrap DEK via KMS, then AES-256-GCM decrypt. */
+      async decryptKmsEnvelope(artifact) {
+        const envelope = artifact.envelope;
+        let dek;
+        try {
+          const kms = (0, kms_1.createKmsProvider)(envelope.provider);
+          const wrappedKey = Buffer.from(envelope.wrappedKey, "base64");
+          dek = await kms.unwrap(envelope.keyId, wrappedKey, envelope.algorithm);
+        } catch (err) {
+          this.telemetry?.artifactInvalid({
+            reason: "kms_unwrap",
+            error: err instanceof Error ? err.message : String(err)
+          });
+          throw err;
+        }
+        try {
+          const iv = Buffer.from(envelope.iv, "base64");
+          const authTag = Buffer.from(envelope.authTag, "base64");
+          const ciphertextBuf = Buffer.from(artifact.ciphertext, "base64");
+          const decipher = crypto6.createDecipheriv("aes-256-gcm", dek, iv);
+          decipher.setAuthTag(authTag);
+          return Buffer.concat([decipher.update(ciphertextBuf), decipher.final()]).toString("utf-8");
+        } catch (err) {
+          this.telemetry?.artifactInvalid({
+            reason: "decrypt",
+            error: err instanceof Error ? err.message : String(err)
+          });
+          throw err;
+        } finally {
+          dek.fill(0);
+        }
+      }
+      /** Age-only: decrypt with the static private key. */
+      async decryptAge(artifact) {
+        if (!this.privateKey) {
+          throw new Error("Artifact requires an age private key. Set CLEF_AGENT_AGE_KEY or use KMS envelope encryption.");
+        }
+        try {
+          return await this.ageDecryptor.decrypt(artifact.ciphertext, this.privateKey);
+        } catch (err) {
+          this.telemetry?.artifactInvalid({
+            reason: err instanceof SyntaxError ? "payload_parse" : "decrypt",
+            error: err instanceof Error ? err.message : String(err)
+          });
+          throw err;
+        }
+      }
+    };
+    exports2.ArtifactDecryptor = ArtifactDecryptor;
+  }
+});
+
 // ../runtime/dist/signature.js
 var require_signature = __commonJS({
   "../runtime/dist/signature.js"(exports2) {
@@ -76694,7 +76956,7 @@ var require_signature = __commonJS({
     var crypto6 = __importStar(require("crypto"));
     function buildSigningPayload2(artifact) {
       const fields = [
-        "clef-sig-v1",
+        "clef-sig-v2",
         String(artifact.version),
         artifact.identity,
         artifact.environment,
@@ -76706,7 +76968,9 @@ var require_signature = __commonJS({
         artifact.envelope?.provider ?? "",
         artifact.envelope?.keyId ?? "",
         artifact.envelope?.wrappedKey ?? "",
-        artifact.envelope?.algorithm ?? ""
+        artifact.envelope?.algorithm ?? "",
+        artifact.envelope?.iv ?? "",
+        artifact.envelope?.authTag ?? ""
       ];
       return Buffer.from(fields.join("\n"), "utf-8");
     }
@@ -76773,8 +77037,7 @@ var require_poller = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.ArtifactPoller = void 0;
     var crypto6 = __importStar(require("crypto"));
-    var decrypt_1 = require_decrypt();
-    var kms_1 = require_kms();
+    var artifact_decryptor_1 = require_artifact_decryptor();
     var signature_1 = require_signature();
     var MIN_POLL_MS = 5e3;
     var ArtifactPoller = class {
@@ -76782,21 +77045,68 @@ var require_poller = __commonJS({
       lastContentHash = null;
       lastRevision = null;
       lastExpiresAt = null;
-      decryptor = new decrypt_1.AgeDecryptor();
+      decryptor;
       options;
+      jitMode;
       telemetryOverride;
       constructor(options) {
         this.options = options;
+        this.jitMode = !!options.encryptedStore;
+        this.decryptor = new artifact_decryptor_1.ArtifactDecryptor({
+          privateKey: options.privateKey,
+          telemetry: options.telemetry
+        });
+      }
+      /** Get the decryptor instance (for JIT mode server wiring). */
+      getDecryptor() {
+        return this.decryptor;
       }
       /** Set or replace the telemetry emitter (e.g. after resolving token from secrets). */
       setTelemetry(emitter) {
         this.telemetryOverride = emitter;
+        this.decryptor.setTelemetry(emitter);
       }
       get telemetry() {
         return this.telemetryOverride ?? this.options.telemetry;
       }
-      /** Fetch, validate, decrypt, and cache the artifact. */
+      /**
+       * Fetch, validate, decrypt, and cache the artifact.
+       * Used in cached mode (cacheTtl > 0).
+       */
       async fetchAndDecrypt() {
+        const result = await this.fetchRaw();
+        if (!result)
+          return;
+        await this.validateDecryptAndCache(result.artifact, result.contentHash);
+      }
+      /**
+       * Fetch and validate the artifact without decrypting.
+       * Stores the validated envelope in the encryptedStore for on-demand decryption.
+       * Used in JIT mode (cacheTtl = 0).
+       */
+      async fetchAndValidate() {
+        const result = await this.fetchRaw();
+        if (!result)
+          return;
+        const artifact = this.validateArtifact(result.artifact);
+        this.options.encryptedStore.swap(artifact);
+        this.lastRevision = artifact.revision;
+        this.lastContentHash = result.contentHash ?? null;
+        this.lastExpiresAt = artifact.expiresAt ?? null;
+        this.options.onRefresh?.(artifact.revision);
+        this.telemetry?.artifactRefreshed({
+          revision: artifact.revision,
+          keyCount: artifact.keys.length,
+          kmsEnvelope: !!artifact.envelope
+        });
+      }
+      /**
+       * Fetch the raw artifact from the source (with disk cache fallback),
+       * parse JSON, and check for revocation.
+       *
+       * Returns null when the content hash is unchanged (short-circuit).
+       */
+      async fetchRaw() {
         let raw;
         let contentHash;
         try {
@@ -76804,7 +77114,7 @@ var require_poller = __commonJS({
           raw = result.raw;
           contentHash = result.contentHash;
           if (contentHash && contentHash === this.lastContentHash)
-            return;
+            return null;
           this.options.diskCache?.write(raw, contentHash);
         } catch (err) {
           this.telemetry?.fetchFailed({
@@ -76815,7 +77125,7 @@ var require_poller = __commonJS({
           if (this.options.diskCache) {
             const cached2 = this.options.diskCache.read();
             if (cached2) {
-              if (ttl !== void 0) {
+              if (ttl !== void 0 && ttl > 0) {
                 const fetchedAt = this.options.diskCache.getFetchedAt();
                 if (fetchedAt && (Date.now() - new Date(fetchedAt).getTime()) / 1e3 > ttl) {
                   this.options.cache.wipe();
@@ -76830,9 +77140,9 @@ var require_poller = __commonJS({
               raw = cached2;
               contentHash = this.options.diskCache.getCachedSha();
               if (contentHash && contentHash === this.lastContentHash)
-                return;
+                return null;
             } else {
-              if (ttl !== void 0 && this.options.cache.isExpired(ttl)) {
+              if (ttl !== void 0 && ttl > 0 && this.options.cache.isExpired(ttl)) {
                 this.options.cache.wipe();
                 this.telemetry?.cacheExpired({
                   cacheTtlSeconds: ttl,
@@ -76843,7 +77153,7 @@ var require_poller = __commonJS({
               throw err;
             }
           } else {
-            if (ttl !== void 0 && this.options.cache.isExpired(ttl)) {
+            if (ttl !== void 0 && ttl > 0 && this.options.cache.isExpired(ttl)) {
               this.options.cache.wipe();
               this.telemetry?.cacheExpired({
                 cacheTtlSeconds: ttl,
@@ -76857,6 +77167,7 @@ var require_poller = __commonJS({
         const parsed = JSON.parse(raw);
         if (parsed.revokedAt) {
           this.options.cache.wipe();
+          this.options.encryptedStore?.wipe();
           this.options.diskCache?.purge();
           this.lastRevision = null;
           this.lastContentHash = null;
@@ -76865,17 +77176,18 @@ var require_poller = __commonJS({
           });
           throw new Error(`Artifact revoked: ${parsed.identity}/${parsed.environment} at ${parsed.revokedAt}`);
         }
-        await this.validateDecryptAndCache(raw, contentHash);
+        return { artifact: parsed, contentHash };
       }
       /**
-       * Validate the artifact, decrypt it, and swap the cache.
-       * Emits `artifact.invalid` on any validation or decryption failure,
-       * and `artifact.expired` / `artifact.refreshed` on their respective paths.
+       * Validate the artifact envelope: version, required fields, expiry,
+       * revision dedup, integrity hash, and signature.
+       * Emits `artifact.invalid` / `artifact.expired` telemetry on failure.
+       * Returns the validated artifact, or throws.
        */
-      async validateDecryptAndCache(raw, contentHash) {
+      validateArtifact(parsed) {
         let artifact;
         try {
-          artifact = this.parseAndValidate(raw);
+          artifact = this.validateEnvelope(parsed);
         } catch (err) {
           this.telemetry?.artifactInvalid({
             reason: classifyValidationError(err),
@@ -76885,12 +77197,13 @@ var require_poller = __commonJS({
         }
         if (artifact.expiresAt && Date.now() > new Date(artifact.expiresAt).getTime()) {
           this.options.cache.wipe();
+          this.options.encryptedStore?.wipe();
           this.options.diskCache?.purge();
           this.telemetry?.artifactExpired({ expiresAt: artifact.expiresAt });
           throw new Error(`Artifact expired at ${artifact.expiresAt}`);
         }
         if (artifact.revision === this.lastRevision)
-          return;
+          return artifact;
         const hash = crypto6.createHash("sha256").update(artifact.ciphertext).digest("hex");
         if (hash !== artifact.ciphertextHash) {
           const err = new Error(`Artifact integrity check failed: expected hash ${artifact.ciphertextHash}, got ${hash}`);
@@ -76930,53 +77243,34 @@ var require_poller = __commonJS({
             throw err;
           }
         }
-        let agePrivateKey;
-        if (artifact.envelope) {
-          try {
-            const kms = (0, kms_1.createKmsProvider)(artifact.envelope.provider);
-            const wrappedKey = Buffer.from(artifact.envelope.wrappedKey, "base64");
-            const unwrapped = await kms.unwrap(artifact.envelope.keyId, wrappedKey, artifact.envelope.algorithm);
-            agePrivateKey = unwrapped.toString("utf-8");
-            unwrapped.fill(0);
-          } catch (err) {
-            this.telemetry?.artifactInvalid({
-              reason: "kms_unwrap",
-              error: err instanceof Error ? err.message : String(err)
-            });
-            throw err;
-          }
-        } else {
-          if (!this.options.privateKey) {
-            throw new Error("Artifact requires an age private key. Set CLEF_AGENT_AGE_KEY or use KMS envelope encryption.");
-          }
-          agePrivateKey = this.options.privateKey;
-        }
-        try {
-          const plaintext = await this.decryptor.decrypt(artifact.ciphertext, agePrivateKey);
-          const values = JSON.parse(plaintext);
-          this.options.cache.swap(values, artifact.keys, artifact.revision);
-          this.lastRevision = artifact.revision;
-          this.lastContentHash = contentHash ?? null;
-          this.lastExpiresAt = artifact.expiresAt ?? null;
-          this.options.onRefresh?.(artifact.revision);
-          this.telemetry?.artifactRefreshed({
-            revision: artifact.revision,
-            keyCount: artifact.keys.length,
-            kmsEnvelope: !!artifact.envelope
-          });
-        } catch (err) {
-          if (err instanceof Error && !err.message.includes("integrity check failed")) {
-            this.telemetry?.artifactInvalid({
-              reason: err instanceof SyntaxError ? "payload_parse" : "decrypt",
-              error: err.message
-            });
-          }
-          throw err;
-        }
+        return artifact;
+      }
+      /**
+       * Validate then decrypt and cache. Used by fetchAndDecrypt (cached mode).
+       */
+      async validateDecryptAndCache(parsed, contentHash) {
+        const artifact = this.validateArtifact(parsed);
+        if (artifact.revision === this.lastRevision)
+          return;
+        const { values } = await this.decryptor.decrypt(artifact);
+        this.options.cache.swap(values, artifact.keys, artifact.revision);
+        this.lastRevision = artifact.revision;
+        this.lastContentHash = contentHash ?? null;
+        this.lastExpiresAt = artifact.expiresAt ?? null;
+        this.options.onRefresh?.(artifact.revision);
+        this.telemetry?.artifactRefreshed({
+          revision: artifact.revision,
+          keyCount: artifact.keys.length,
+          kmsEnvelope: !!artifact.envelope
+        });
       }
       /** Start the polling loop. Performs an initial fetch immediately. */
       async start() {
-        await this.fetchAndDecrypt();
+        if (this.jitMode) {
+          await this.fetchAndValidate();
+        } else {
+          await this.fetchAndDecrypt();
+        }
         this.scheduleNext();
       }
       /** Start only the polling schedule (no initial fetch). */
@@ -77002,7 +77296,11 @@ var require_poller = __commonJS({
         this.timer = setTimeout(async () => {
           this.timer = null;
           try {
-            await this.fetchAndDecrypt();
+            if (this.jitMode) {
+              await this.fetchAndValidate();
+            } else {
+              await this.fetchAndDecrypt();
+            }
           } catch (err) {
             this.options.onError?.(err instanceof Error ? err : new Error(String(err)));
           }
@@ -77018,14 +77316,15 @@ var require_poller = __commonJS({
           }
           return MIN_POLL_MS;
         }
+        if (this.jitMode)
+          return MIN_POLL_MS;
         const ttl = this.options.cacheTtl;
         if (ttl !== void 0) {
           return Math.max(ttl / 10 * 1e3, MIN_POLL_MS);
         }
         return 3e4;
       }
-      parseAndValidate(raw) {
-        const artifact = JSON.parse(raw);
+      validateEnvelope(artifact) {
         if (artifact.version !== 1) {
           throw new Error(`Unsupported artifact version: ${artifact.version}`);
         }
@@ -77033,7 +77332,7 @@ var require_poller = __commonJS({
           throw new Error("Invalid artifact: missing required fields.");
         }
         if (artifact.envelope) {
-          if (!artifact.envelope.provider || !artifact.envelope.keyId || !artifact.envelope.wrappedKey || !artifact.envelope.algorithm) {
+          if (!artifact.envelope.provider || !artifact.envelope.keyId || !artifact.envelope.wrappedKey || !artifact.envelope.algorithm || !artifact.envelope.iv || !artifact.envelope.authTag) {
             throw new Error("Invalid artifact: incomplete envelope fields.");
           }
         }
@@ -77058,6 +77357,50 @@ var require_poller = __commonJS({
   }
 });
 
+// ../runtime/dist/encrypted-artifact-store.js
+var require_encrypted_artifact_store = __commonJS({
+  "../runtime/dist/encrypted-artifact-store.js"(exports2) {
+    "use strict";
+    Object.defineProperty(exports2, "__esModule", { value: true });
+    exports2.EncryptedArtifactStore = void 0;
+    var EncryptedArtifactStore = class {
+      artifact = null;
+      _storedAt = null;
+      /** Atomically replace the stored artifact. */
+      swap(artifact) {
+        this.artifact = artifact;
+        this._storedAt = Date.now();
+      }
+      /** Get the current encrypted artifact. Returns null if not yet loaded. */
+      get() {
+        return this.artifact;
+      }
+      /** Whether an artifact has been stored. */
+      isReady() {
+        return this.artifact !== null;
+      }
+      /** Epoch ms of last store, or null. */
+      getStoredAt() {
+        return this._storedAt;
+      }
+      /** Get key names from the stored artifact metadata (no decryption needed). */
+      getKeys() {
+        return this.artifact ? [...this.artifact.keys] : [];
+      }
+      /** Get the revision from the stored artifact. */
+      getRevision() {
+        return this.artifact?.revision ?? null;
+      }
+      /** Clear the stored artifact (on revocation/expiry). */
+      wipe() {
+        this.artifact = null;
+        this._storedAt = null;
+      }
+    };
+    exports2.EncryptedArtifactStore = EncryptedArtifactStore;
+  }
+});
+
 // ../runtime/dist/telemetry.js
 var require_telemetry = __commonJS({
   "../runtime/dist/telemetry.js"(exports2) {
@@ -77412,14 +77755,23 @@ var require_http = __commonJS({
       async fetch() {
         const res = await fetch(this.url);
         if (!res.ok) {
-          throw new Error(`Failed to fetch artifact from ${this.url}: ${res.status}`);
+          throw new Error(`Failed to fetch artifact from ${this.describe()}: ${res.status}`);
         }
         const raw = await res.text();
         const etag = res.headers.get("etag") ?? void 0;
         return { raw, contentHash: etag };
       }
       describe() {
-        return `HTTP ${this.url}`;
+        try {
+          const parsed = new URL(this.url);
+          if (parsed.username || parsed.password) {
+            parsed.username = "***";
+            parsed.password = "";
+          }
+          return `HTTP ${parsed.href}`;
+        } catch {
+          return "HTTP <invalid-url>";
+        }
       }
     };
     exports2.HttpArtifactSource = HttpArtifactSource;
@@ -77469,14 +77821,14 @@ var require_file = __commonJS({
     })();
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.FileArtifactSource = void 0;
-    var fs27 = __importStar(require("fs"));
+    var fs26 = __importStar(require("fs"));
     var FileArtifactSource = class {
       path;
       constructor(filePath) {
         this.path = filePath;
       }
       async fetch() {
-        const raw = fs27.readFileSync(this.path, "utf-8");
+        const raw = fs26.readFileSync(this.path, "utf-8");
         return { raw };
       }
       describe() {
@@ -77521,7 +77873,7 @@ var require_dist4 = __commonJS({
   "../runtime/dist/index.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.ClefRuntime = exports2.verifySignature = exports2.buildSigningPayload = exports2.VcsArtifactSource = exports2.FileArtifactSource = exports2.HttpArtifactSource = exports2.createKmsProvider = exports2.AwsKmsProvider = exports2.createVcsProvider = exports2.BitbucketProvider = exports2.GitLabProvider = exports2.GitHubProvider = exports2.TelemetryEmitter = exports2.ArtifactPoller = exports2.AgeDecryptor = exports2.DiskCache = exports2.SecretsCache = void 0;
+    exports2.ClefRuntime = exports2.verifySignature = exports2.buildSigningPayload = exports2.VcsArtifactSource = exports2.FileArtifactSource = exports2.HttpArtifactSource = exports2.createKmsProvider = exports2.AwsKmsProvider = exports2.createVcsProvider = exports2.BitbucketProvider = exports2.GitLabProvider = exports2.GitHubProvider = exports2.TelemetryEmitter = exports2.EncryptedArtifactStore = exports2.ArtifactDecryptor = exports2.ArtifactPoller = exports2.AgeDecryptor = exports2.DiskCache = exports2.SecretsCache = void 0;
     exports2.init = init;
     var secrets_cache_1 = require_secrets_cache();
     Object.defineProperty(exports2, "SecretsCache", { enumerable: true, get: function() {
@@ -77539,6 +77891,14 @@ var require_dist4 = __commonJS({
     Object.defineProperty(exports2, "ArtifactPoller", { enumerable: true, get: function() {
       return poller_1.ArtifactPoller;
     } });
+    var artifact_decryptor_1 = require_artifact_decryptor();
+    Object.defineProperty(exports2, "ArtifactDecryptor", { enumerable: true, get: function() {
+      return artifact_decryptor_1.ArtifactDecryptor;
+    } });
+    var encrypted_artifact_store_1 = require_encrypted_artifact_store();
+    Object.defineProperty(exports2, "EncryptedArtifactStore", { enumerable: true, get: function() {
+      return encrypted_artifact_store_1.EncryptedArtifactStore;
+    } });
     var telemetry_1 = require_telemetry();
     Object.defineProperty(exports2, "TelemetryEmitter", { enumerable: true, get: function() {
       return telemetry_1.TelemetryEmitter;
@@ -77751,10 +78111,13 @@ var NodeSubprocessRunner = class {
 };
 
 // src/commands/init.ts
-var fs17 = __toESM(require("fs"));
+var fs16 = __toESM(require("fs"));
 var path19 = __toESM(require("path"));
 var readline2 = __toESM(require("readline"));
-var YAML12 = __toESM(require_dist());
+var YAML11 = __toESM(require_dist());
+init_src();
+
+// src/handle-error.ts
 init_src();
 
 // src/output/formatter.ts
@@ -77966,6 +78329,16 @@ function pad(str2, width) {
   return diff > 0 ? str2 + " ".repeat(diff) : str2;
 }
 
+// src/handle-error.ts
+function handleCommandError(err) {
+  if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
+    formatter.formatDependencyError(err);
+  } else {
+    formatter.error(err.message);
+  }
+  process.exit(1);
+}
+
 // src/keychain.ts
 var SERVICE = "clef";
 var CRED_HELPER_CS = `
@@ -78416,8 +78789,8 @@ function registerInitCommand(program3, deps2) {
       }
       const manifestPath = path19.join(repoRoot, "clef.yaml");
       const clefConfigPath = path19.join(repoRoot, CLEF_DIR, CLEF_CONFIG_FILENAME);
-      const manifestExists = fs17.existsSync(manifestPath);
-      const localConfigExists = fs17.existsSync(clefConfigPath);
+      const manifestExists = fs16.existsSync(manifestPath);
+      const localConfigExists = fs16.existsSync(clefConfigPath);
       if (manifestExists && localConfigExists) {
         formatter.print("Already initialised. Run 'clef update' to scaffold new environments.");
         process.exit(0);
@@ -78439,8 +78812,7 @@ function registerInitCommand(program3, deps2) {
       }
       await handleFullSetup(repoRoot, manifestPath, clefConfigPath, deps2, options);
     } catch (err) {
-      formatter.error(err.message);
-      process.exit(1);
+      handleCommandError(err);
     }
   });
 }
@@ -78472,22 +78844,22 @@ async function handleSecondDevOnboarding(repoRoot, clefConfigPath, deps2, option
     const publicKey = identity.publicKey;
     const keyContent = formatAgeKeyFile(privateKey, publicKey);
     const keyDir = path19.dirname(keyPath);
-    if (!fs17.existsSync(keyDir)) {
-      fs17.mkdirSync(keyDir, { recursive: true });
+    if (!fs16.existsSync(keyDir)) {
+      fs16.mkdirSync(keyDir, { recursive: true });
     }
-    fs17.writeFileSync(keyPath, keyContent, { encoding: "utf-8", mode: 384 });
+    fs16.writeFileSync(keyPath, keyContent, { encoding: "utf-8", mode: 384 });
     formatter.success(`Generated age key at ${keyPath}`);
     config = { age_key_file: keyPath, age_key_storage: "file", age_keychain_label: label };
   }
   const clefDir = path19.dirname(clefConfigPath);
-  if (!fs17.existsSync(clefDir)) {
-    fs17.mkdirSync(clefDir, { recursive: true });
+  if (!fs16.existsSync(clefDir)) {
+    fs16.mkdirSync(clefDir, { recursive: true });
   }
-  fs17.writeFileSync(clefConfigPath, YAML12.stringify(config), "utf-8");
+  fs16.writeFileSync(clefConfigPath, YAML11.stringify(config), "utf-8");
   formatter.success("Created .clef/config.yaml");
   const gitignorePath = path19.join(clefDir, ".gitignore");
-  if (!fs17.existsSync(gitignorePath)) {
-    fs17.writeFileSync(gitignorePath, "*\n", "utf-8");
+  if (!fs16.existsSync(gitignorePath)) {
+    fs16.writeFileSync(gitignorePath, "*\n", "utf-8");
     formatter.success("Created .clef/.gitignore");
   }
   formatter.success(`Key label: ${label}`);
@@ -78579,38 +78951,38 @@ async function handleFullSetup(repoRoot, manifestPath, clefConfigPath, deps2, op
       }
       const keyContent = formatAgeKeyFile(privateKey, publicKey);
       const keyDir = path19.dirname(keyPath);
-      if (!fs17.existsSync(keyDir)) {
-        fs17.mkdirSync(keyDir, { recursive: true });
+      if (!fs16.existsSync(keyDir)) {
+        fs16.mkdirSync(keyDir, { recursive: true });
       }
-      fs17.writeFileSync(keyPath, keyContent, { encoding: "utf-8", mode: 384 });
+      fs16.writeFileSync(keyPath, keyContent, { encoding: "utf-8", mode: 384 });
       formatter.success(`Generated age key at ${keyPath}`);
       ageKeyFile = keyPath;
     }
     const clefDir = path19.dirname(clefConfigPath);
-    if (!fs17.existsSync(clefDir)) {
-      fs17.mkdirSync(clefDir, { recursive: true });
+    if (!fs16.existsSync(clefDir)) {
+      fs16.mkdirSync(clefDir, { recursive: true });
     }
     const config = ageKeyFile ? { age_key_file: ageKeyFile, age_key_storage: "file", age_keychain_label: label } : { age_key_storage: "keychain", age_keychain_label: label };
-    fs17.writeFileSync(clefConfigPath, YAML12.stringify(config), "utf-8");
+    fs16.writeFileSync(clefConfigPath, YAML11.stringify(config), "utf-8");
     formatter.success("Created .clef/config.yaml");
     const gitignorePath = path19.join(clefDir, ".gitignore");
-    if (!fs17.existsSync(gitignorePath)) {
-      fs17.writeFileSync(gitignorePath, "*\n", "utf-8");
+    if (!fs16.existsSync(gitignorePath)) {
+      fs16.writeFileSync(gitignorePath, "*\n", "utf-8");
       formatter.success("Created .clef/.gitignore");
     }
     formatter.success(`Key label: ${label}`);
   }
-  const manifestDoc = YAML12.parse(YAML12.stringify(manifest));
+  const manifestDoc = YAML11.parse(YAML11.stringify(manifest));
   if (backend === "age" && publicKey) {
     const sopsDoc = manifestDoc.sops;
     sopsDoc.age = { recipients: [publicKey] };
   }
-  fs17.writeFileSync(manifestPath, YAML12.stringify(manifestDoc), "utf-8");
+  fs16.writeFileSync(manifestPath, YAML11.stringify(manifestDoc), "utf-8");
   formatter.success("Created clef.yaml");
   {
     const sopsYamlPath = path19.join(repoRoot, ".sops.yaml");
     const sopsConfig = buildSopsYaml(manifest, repoRoot, publicKey);
-    fs17.writeFileSync(sopsYamlPath, YAML12.stringify(sopsConfig), "utf-8");
+    fs16.writeFileSync(sopsYamlPath, YAML11.stringify(sopsConfig), "utf-8");
     formatter.success("Created .sops.yaml");
   }
   const sopsClient = new SopsClient(deps2.runner, ageKeyFile, ageKey);
@@ -78667,8 +79039,8 @@ async function handleFullSetup(repoRoot, manifestPath, clefConfigPath, deps2, op
     }
   }
   const clefignorePath = path19.join(repoRoot, ".clefignore");
-  if (!fs17.existsSync(clefignorePath)) {
-    fs17.writeFileSync(clefignorePath, DEFAULT_CLEFIGNORE, "utf-8");
+  if (!fs16.existsSync(clefignorePath)) {
+    fs16.writeFileSync(clefignorePath, DEFAULT_CLEFIGNORE, "utf-8");
     formatter.success("Created .clefignore");
   } else {
     formatter.print("  .clefignore already exists \u2014 skipping");
@@ -78700,7 +79072,7 @@ function scaffoldSopsConfig(repoRoot) {
     agePublicKey = resolveAgePublicKeyFromEnvOrFile(repoRoot);
   }
   const sopsConfig = buildSopsYaml(manifest, repoRoot, agePublicKey);
-  fs17.writeFileSync(sopsYamlPath, YAML12.stringify(sopsConfig), "utf-8");
+  fs16.writeFileSync(sopsYamlPath, YAML11.stringify(sopsConfig), "utf-8");
 }
 function buildSopsYaml(manifest, _repoRoot, agePublicKey) {
   const creationRules = [];
@@ -78764,9 +79136,9 @@ function resolveAgePublicKeyFromEnvOrFile(repoRoot) {
     if (match) return match[1];
   }
   const clefConfigPath = path19.join(repoRoot, CLEF_DIR, CLEF_CONFIG_FILENAME);
-  if (fs17.existsSync(clefConfigPath)) {
+  if (fs16.existsSync(clefConfigPath)) {
     try {
-      const config = YAML12.parse(fs17.readFileSync(clefConfigPath, "utf-8"));
+      const config = YAML11.parse(fs16.readFileSync(clefConfigPath, "utf-8"));
       if (config?.age_key_file) {
         const pubKey = extractAgePublicKey(config.age_key_file);
         if (pubKey) return pubKey;
@@ -78778,8 +79150,8 @@ function resolveAgePublicKeyFromEnvOrFile(repoRoot) {
 }
 function extractAgePublicKey(keyFilePath) {
   try {
-    if (!fs17.existsSync(keyFilePath)) return void 0;
-    const content = fs17.readFileSync(keyFilePath, "utf-8");
+    if (!fs16.existsSync(keyFilePath)) return void 0;
+    const content = fs16.readFileSync(keyFilePath, "utf-8");
     const match = content.match(/# public key: (age1[a-z0-9]+)/);
     return match ? match[1] : void 0;
   } catch {
@@ -78846,9 +79218,9 @@ var path21 = __toESM(require("path"));
 init_src();
 
 // src/age-credential.ts
-var fs18 = __toESM(require("fs"));
+var fs17 = __toESM(require("fs"));
 var path20 = __toESM(require("path"));
-var YAML13 = __toESM(require_dist());
+var YAML12 = __toESM(require_dist());
 init_src();
 var CLEF_DIR2 = ".clef";
 var CLEF_CONFIG_FILENAME2 = "config.yaml";
@@ -78913,7 +79285,7 @@ async function resolveAgePrivateKey(repoRoot, runner2) {
       const filePath = process.env.CLEF_AGE_KEY_FILE;
       if (!filePath) return null;
       try {
-        const content = fs18.readFileSync(filePath, "utf-8");
+        const content = fs17.readFileSync(filePath, "utf-8");
         const match = content.match(AGE_SECRET_KEY_RE);
         return match ? match[1] : null;
       } catch (err) {
@@ -78925,7 +79297,7 @@ async function resolveAgePrivateKey(repoRoot, runner2) {
     }
     case "config-file": {
       try {
-        const content = fs18.readFileSync(credential.path, "utf-8");
+        const content = fs17.readFileSync(credential.path, "utf-8");
         const match = content.match(AGE_SECRET_KEY_RE);
         return match ? match[1] : null;
       } catch (err) {
@@ -78940,8 +79312,8 @@ async function resolveAgePrivateKey(repoRoot, runner2) {
 function readLocalConfig(repoRoot) {
   const clefConfigPath = path20.join(repoRoot, CLEF_DIR2, CLEF_CONFIG_FILENAME2);
   try {
-    if (!fs18.existsSync(clefConfigPath)) return null;
-    return YAML13.parse(fs18.readFileSync(clefConfigPath, "utf-8"));
+    if (!fs17.existsSync(clefConfigPath)) return null;
+    return YAML12.parse(fs17.readFileSync(clefConfigPath, "utf-8"));
   } catch (err) {
     formatter.warn(
       `Failed to parse ${clefConfigPath}: ${err instanceof Error ? err.message : String(err)}
@@ -78983,6 +79355,15 @@ function maskedPlaceholder() {
   return "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022";
 }
 
+// src/parse-target.ts
+function parseTarget(target) {
+  const parts = target.split("/");
+  if (parts.length !== 2 || !parts[0] || !parts[1]) {
+    throw new Error(`Invalid target "${target}". Expected format: namespace/environment`);
+  }
+  return [parts[0], parts[1]];
+}
+
 // src/commands/get.ts
 function registerGetCommand(program3, deps2) {
   program3.command("get <target> <key>").description(
@@ -79018,23 +79399,10 @@ function registerGetCommand(program3, deps2) {
         }
       }
     } catch (err) {
-      if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
-        formatter.formatDependencyError(err);
-        process.exit(1);
-        return;
-      }
-      formatter.error(err.message);
-      process.exit(1);
+      handleCommandError(err);
     }
   });
 }
-function parseTarget(target) {
-  const parts = target.split("/");
-  if (parts.length !== 2 || !parts[0] || !parts[1]) {
-    throw new Error(`Invalid target "${target}". Expected format: namespace/environment`);
-  }
-  return [parts[0], parts[1]];
-}
 
 // src/commands/set.ts
 var path22 = __toESM(require("path"));
@@ -79149,7 +79517,7 @@ function registerSetCommand(program3, deps2) {
   Consider using the interactive prompt instead: clef set ${target} ${key}`
           );
         }
-        const [namespace, environment] = parseTarget2(target);
+        const [namespace, environment] = parseTarget(target);
         const matrixManager = new MatrixManager();
         if (matrixManager.isProtectedEnvironment(manifest, environment)) {
           const confirmed = await formatter.confirm(
@@ -79181,11 +79549,22 @@ function registerSetCommand(program3, deps2) {
           try {
             await markPendingWithRetry(filePath, [key], "clef set --random");
           } catch {
-            formatter.error(
-              `${key} was encrypted but pending state could not be recorded.
-  The encrypted file contains a random placeholder value with no tracking metadata.
+            try {
+              delete decrypted.values[key];
+              await sopsClient.encrypt(filePath, decrypted.values, manifest, environment);
+            } catch {
+              formatter.error(
+                `${key} was encrypted but pending state could not be recorded, and rollback failed.
+  The encrypted file may contain an untracked random placeholder.
   This key MUST be set to a real value before deploying.
   Run: clef set ${namespace}/${environment} ${key}`
+              );
+              process.exit(1);
+              return;
+            }
+            formatter.error(
+              `${key}: pending state could not be recorded. The value was rolled back.
+  Retry: clef set --random ${namespace}/${environment} ${key}`
             );
             process.exit(1);
             return;
@@ -79210,24 +79589,11 @@ function registerSetCommand(program3, deps2) {
           );
         }
       } catch (err) {
-        if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
-          formatter.formatDependencyError(err);
-          process.exit(1);
-          return;
-        }
-        formatter.error(err.message);
-        process.exit(1);
+        handleCommandError(err);
       }
     }
   );
 }
-function parseTarget2(target) {
-  const parts = target.split("/");
-  if (parts.length !== 2 || !parts[0] || !parts[1]) {
-    throw new Error(`Invalid target "${target}". Expected format: namespace/environment`);
-  }
-  return [parts[0], parts[1]];
-}
 
 // src/commands/compare.ts
 var path23 = __toESM(require("path"));
@@ -79238,7 +79604,7 @@ function registerCompareCommand(program3, deps2) {
     "Compare a stored secret with a supplied value.\n\n  target: namespace/environment (e.g. payments/staging)\n  key:    the key name to compare\n  value:  optional \u2014 if omitted, prompts with hidden input\n\nNeither value is ever printed to stdout.\n\nExit codes:\n  0  values match\n  1  values do not match or operation failed"
   ).action(async (target, key, value) => {
     try {
-      const [namespace, environment] = parseTarget3(target);
+      const [namespace, environment] = parseTarget(target);
       const repoRoot = program3.opts().dir || process.cwd();
       const parser = new ManifestParser();
       const manifest = parser.parse(path23.join(repoRoot, "clef.yaml"));
@@ -79268,7 +79634,15 @@ function registerCompareCommand(program3, deps2) {
         return;
       }
       const stored = decrypted.values[key];
-      const match = stored.length === compareValue.length && crypto5.timingSafeEqual(Buffer.from(stored), Buffer.from(compareValue));
+      const storedBuf = Buffer.from(stored);
+      const compareBuf = Buffer.from(compareValue);
+      const maxLen = Math.max(storedBuf.length, compareBuf.length, 1);
+      const paddedStored = Buffer.alloc(maxLen);
+      const paddedCompare = Buffer.alloc(maxLen);
+      storedBuf.copy(paddedStored);
+      compareBuf.copy(paddedCompare);
+      const timingEqual = crypto5.timingSafeEqual(paddedStored, paddedCompare);
+      const match = storedBuf.length === compareBuf.length && timingEqual;
       if (match) {
         formatter.success(`${key} ${sym("arrow")} values match`);
       } else {
@@ -79276,23 +79650,10 @@ function registerCompareCommand(program3, deps2) {
         process.exit(1);
       }
     } catch (err) {
-      if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
-        formatter.formatDependencyError(err);
-        process.exit(1);
-        return;
-      }
-      formatter.error(err.message);
-      process.exit(1);
+      handleCommandError(err);
     }
   });
 }
-function parseTarget3(target) {
-  const parts = target.split("/");
-  if (parts.length !== 2 || !parts[0] || !parts[1]) {
-    throw new Error(`Invalid target "${target}". Expected format: namespace/environment`);
-  }
-  return [parts[0], parts[1]];
-}
 
 // src/commands/delete.ts
 var path24 = __toESM(require("path"));
@@ -79324,7 +79685,7 @@ Type the key name to confirm:`
         await bulkOps.deleteAcrossEnvironments(namespace, key, manifest, sopsClient, repoRoot);
         formatter.success(`Deleted '${key}' from ${namespace} in all environments`);
       } else {
-        const [namespace, environment] = parseTarget4(target);
+        const [namespace, environment] = parseTarget(target);
         if (matrixManager.isProtectedEnvironment(manifest, environment)) {
           const protConfirmed = await formatter.confirm(
             `This is a protected environment (${environment}). Are you sure you want to delete '${key}'?`
@@ -79366,23 +79727,10 @@ Type the key name to confirm:`
         );
       }
     } catch (err) {
-      if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
-        formatter.formatDependencyError(err);
-        process.exit(1);
-        return;
-      }
-      formatter.error(err.message);
-      process.exit(1);
+      handleCommandError(err);
     }
   });
 }
-function parseTarget4(target) {
-  const parts = target.split("/");
-  if (parts.length !== 2 || !parts[0] || !parts[1]) {
-    throw new Error(`Invalid target "${target}". Expected format: namespace/environment`);
-  }
-  return [parts[0], parts[1]];
-}
 
 // src/commands/diff.ts
 var path25 = __toESM(require("path"));
@@ -79437,13 +79785,7 @@ function registerDiffCommand(program3, deps2) {
         const hasDiffs = result.rows.some((r) => r.status !== "identical");
         process.exit(hasDiffs ? 1 : 0);
       } catch (err) {
-        if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
-          formatter.formatDependencyError(err);
-          process.exit(1);
-          return;
-        }
-        formatter.error(err.message);
-        process.exit(1);
+        handleCommandError(err);
       }
     }
   );
@@ -79730,7 +80072,7 @@ async function fetchCheckpoint(config) {
 }
 
 // package.json
-var version = "0.1.8";
+var version = "0.1.9-beta.57";
 var package_default = {
   name: "@clef-sh/cli",
   version,
@@ -79835,13 +80177,7 @@ function registerLintCommand(program3, deps2) {
       const hasErrors = result.issues.some((i) => i.severity === "error");
       process.exit(hasErrors ? 1 : 0);
     } catch (err) {
-      if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
-        formatter.formatDependencyError(err);
-        process.exit(1);
-        return;
-      }
-      formatter.error(err.message);
-      process.exit(1);
+      handleCommandError(err);
     }
   });
 }
@@ -79911,7 +80247,7 @@ function registerRotateCommand(program3, deps2) {
     "Rotate encryption key for a namespace/environment file.\n\n  target:     namespace/environment (e.g. payments/production)\n  --new-key:  the new age public key to add (required)\n\nExit codes:\n  0  key rotated successfully\n  1  operation failed"
   ).requiredOption("--new-key <key>", "New age public key to rotate to").action(async (target, options) => {
     try {
-      const [namespace, environment] = parseTarget5(target);
+      const [namespace, environment] = parseTarget(target);
       const repoRoot = program3.opts().dir || process.cwd();
       const parser = new ManifestParser();
       const manifest = parser.parse(path27.join(repoRoot, "clef.yaml"));
@@ -79938,26 +80274,13 @@ function registerRotateCommand(program3, deps2) {
         `git add ${relativeFile} && git commit -m "rotate: ${namespace}/${environment}"`
       );
     } catch (err) {
-      if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
-        formatter.formatDependencyError(err);
-        process.exit(1);
-        return;
-      }
-      formatter.error(err.message);
-      process.exit(1);
+      handleCommandError(err);
     }
   });
 }
-function parseTarget5(target) {
-  const parts = target.split("/");
-  if (parts.length !== 2 || !parts[0] || !parts[1]) {
-    throw new Error(`Invalid target "${target}". Expected format: namespace/environment`);
-  }
-  return [parts[0], parts[1]];
-}
 
 // src/commands/hooks.ts
-var fs19 = __toESM(require("fs"));
+var fs18 = __toESM(require("fs"));
 var path28 = __toESM(require("path"));
 init_src();
 function registerHooksCommand(program3, deps2) {
@@ -79966,8 +80289,8 @@ function registerHooksCommand(program3, deps2) {
     try {
       const repoRoot = program3.opts().dir || process.cwd();
       const hookPath = path28.join(repoRoot, ".git", "hooks", "pre-commit");
-      if (fs19.existsSync(hookPath)) {
-        const content = fs19.readFileSync(hookPath, "utf-8");
+      if (fs18.existsSync(hookPath)) {
+        const content = fs18.readFileSync(hookPath, "utf-8");
         if (content.includes("clef") || content.includes("SOPS")) {
           const confirmed = await formatter.confirm(
             "A Clef pre-commit hook already exists. Overwrite?"
@@ -80097,6 +80420,7 @@ async function openBrowser(url, runner2) {
 }
 
 // src/commands/exec.ts
+var os2 = __toESM(require("os"));
 var path30 = __toESM(require("path"));
 var import_child_process3 = require("child_process");
 init_src();
@@ -80133,7 +80457,7 @@ function registerExecCommand(program3, deps2) {
           process.exit(1);
           return;
         }
-        const [namespace, environment] = parseTarget6(target);
+        const [namespace, environment] = parseTarget(target);
         const repoRoot = program3.opts().dir || process.cwd();
         const parser = new ManifestParser();
         const manifest = parser.parse(path30.join(repoRoot, "clef.yaml"));
@@ -80150,7 +80474,7 @@ function registerExecCommand(program3, deps2) {
         const mergedValues = { ...primaryDecrypted.values };
         for (const alsoTarget of options.also) {
           try {
-            const [alsoNs, alsoEnv] = parseTarget6(alsoTarget);
+            const [alsoNs, alsoEnv] = parseTarget(alsoTarget);
             const alsoFilePath = path30.join(
               repoRoot,
               manifest.file_pattern.replace("{namespace}", alsoNs).replace("{environment}", alsoEnv)
@@ -80187,14 +80511,7 @@ function registerExecCommand(program3, deps2) {
         const exitCode = await spawnChild(childCommand, childCommandArgs, childEnv);
         process.exit(exitCode);
       } catch (err) {
-        if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
-          formatter.formatDependencyError(err);
-          process.exit(1);
-          return;
-        }
-        const message = err instanceof Error ? err.message : "Execution failed";
-        formatter.error(message);
-        process.exit(1);
+        handleCommandError(err);
       }
     }
   );
@@ -80220,12 +80537,8 @@ function spawnChild(command, args, env) {
       process.off("SIGTERM", sigtermHandler);
       process.off("SIGINT", sigintHandler);
       if (signal) {
-        const signalCodes = {
-          SIGHUP: 129,
-          SIGINT: 130,
-          SIGTERM: 143
-        };
-        resolve6(signalCodes[signal] ?? 128);
+        const sigNum = os2.constants?.signals?.[signal];
+        resolve6(sigNum ? 128 + sigNum : 128);
       } else {
         resolve6(code ?? 1);
       }
@@ -80243,13 +80556,6 @@ function spawnChild(command, args, env) {
     process.on("SIGINT", sigintHandler);
   });
 }
-function parseTarget6(target) {
-  const parts = target.split("/");
-  if (parts.length !== 2 || !parts[0] || !parts[1]) {
-    throw new Error(`Invalid target "${target}". Expected format: namespace/environment`);
-  }
-  return [parts[0], parts[1]];
-}
 
 // src/commands/export.ts
 var path31 = __toESM(require("path"));
@@ -80278,7 +80584,7 @@ Usage: clef export payments/production --format env`
         process.exit(1);
         return;
       }
-      const [namespace, environment] = parseTarget7(target);
+      const [namespace, environment] = parseTarget(target);
       const repoRoot = program3.opts().dir || process.cwd();
       const parser = new ManifestParser();
       const manifest = parser.parse(path31.join(repoRoot, "clef.yaml"));
@@ -80313,29 +80619,15 @@ Usage: clef export payments/production --format env`
         }
       }
     } catch (err) {
-      if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
-        formatter.formatDependencyError(err);
-        process.exit(1);
-        return;
-      }
-      const message = err instanceof Error ? err.message : "Export failed";
-      formatter.error(message);
-      process.exit(1);
+      handleCommandError(err);
     }
   });
 }
-function parseTarget7(target) {
-  const parts = target.split("/");
-  if (parts.length !== 2 || !parts[0] || !parts[1]) {
-    throw new Error(`Invalid target "${target}". Expected format: namespace/environment`);
-  }
-  return [parts[0], parts[1]];
-}
 
 // src/commands/doctor.ts
-var fs20 = __toESM(require("fs"));
+var fs19 = __toESM(require("fs"));
 var path32 = __toESM(require("path"));
-var YAML14 = __toESM(require_dist());
+var YAML13 = __toESM(require_dist());
 init_src();
 function registerDoctorCommand(program3, deps2) {
   program3.command("doctor").description(
@@ -80385,7 +80677,7 @@ function registerDoctorCommand(program3, deps2) {
       });
     }
     const manifestPath = path32.join(repoRoot, "clef.yaml");
-    const manifestFound = fs20.existsSync(manifestPath);
+    const manifestFound = fs19.existsSync(manifestPath);
     checks.push({
       name: "manifest",
       ok: manifestFound,
@@ -80395,7 +80687,7 @@ function registerDoctorCommand(program3, deps2) {
     const ageKeyResult = await checkAgeKey(repoRoot, deps2.runner);
     checks.push(ageKeyResult);
     const sopsYamlPath = path32.join(repoRoot, ".sops.yaml");
-    const sopsYamlFound = fs20.existsSync(sopsYamlPath);
+    const sopsYamlFound = fs19.existsSync(sopsYamlPath);
     checks.push({
       name: ".sops.yaml",
       ok: sopsYamlFound,
@@ -80403,11 +80695,11 @@ function registerDoctorCommand(program3, deps2) {
       hint: sopsYamlFound ? void 0 : "run: clef init"
     });
     const clefignorePath = path32.join(repoRoot, ".clefignore");
-    const clefignoreFound = fs20.existsSync(clefignorePath);
+    const clefignoreFound = fs19.existsSync(clefignorePath);
     let clefignoreRuleCount = 0;
     if (clefignoreFound) {
       try {
-        const content = fs20.readFileSync(clefignorePath, "utf-8");
+        const content = fs19.readFileSync(clefignorePath, "utf-8");
         clefignoreRuleCount = content.split("\n").filter(
           (l) => l.trim() && !l.trim().startsWith("#") && !l.trim().startsWith("ignore-pattern:")
         ).length;
@@ -80439,7 +80731,7 @@ function registerDoctorCommand(program3, deps2) {
         formatter.info("Attempting to fix: generating .sops.yaml from manifest...");
         try {
           scaffoldSopsConfig(repoRoot);
-          const nowFound = fs20.existsSync(sopsYamlPath);
+          const nowFound = fs19.existsSync(sopsYamlPath);
           if (nowFound) {
             const sopsYamlCheck = checks.find((c) => c.name === ".sops.yaml");
             if (sopsYamlCheck) {
@@ -80563,7 +80855,7 @@ async function checkAgeKey(repoRoot, runner2) {
         source: "env"
       };
     case "config-file":
-      if (!fs20.existsSync(credential.path)) {
+      if (!fs19.existsSync(credential.path)) {
         return {
           name: "age key",
           ok: false,
@@ -80582,9 +80874,9 @@ async function checkAgeKey(repoRoot, runner2) {
 }
 function countAgeRecipients(sopsYamlPath) {
   try {
-    if (!fs20.existsSync(sopsYamlPath)) return 0;
-    const content = fs20.readFileSync(sopsYamlPath, "utf-8");
-    const config = YAML14.parse(content);
+    if (!fs19.existsSync(sopsYamlPath)) return 0;
+    const content = fs19.readFileSync(sopsYamlPath, "utf-8");
+    const config = YAML13.parse(content);
     if (!config?.creation_rules || !Array.isArray(config.creation_rules)) {
       return 0;
     }
@@ -80610,7 +80902,7 @@ function getSopsInstallHint() {
 }
 
 // src/commands/update.ts
-var fs21 = __toESM(require("fs"));
+var fs20 = __toESM(require("fs"));
 var path33 = __toESM(require("path"));
 init_src();
 function registerUpdateCommand(program3, deps2) {
@@ -80620,7 +80912,7 @@ function registerUpdateCommand(program3, deps2) {
     try {
       const repoRoot = program3.opts().dir || process.cwd();
       const manifestPath = path33.join(repoRoot, "clef.yaml");
-      if (!fs21.existsSync(manifestPath)) {
+      if (!fs20.existsSync(manifestPath)) {
         formatter.error("clef.yaml not found. Run 'clef init' to initialise this repository.");
         process.exit(1);
         return;
@@ -80654,19 +80946,12 @@ function registerUpdateCommand(program3, deps2) {
         formatter.success(`Scaffolded ${scaffoldedCount} encrypted file(s)`);
       }
       if (failedCount === 0) {
-        process.exit(0);
         return;
       }
       formatter.error(`${failedCount} cell(s) could not be scaffolded.`);
       process.exit(1);
     } catch (err) {
-      if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
-        formatter.formatDependencyError(err);
-        process.exit(1);
-        return;
-      }
-      formatter.error(err.message);
-      process.exit(1);
+      handleCommandError(err);
     }
   });
 }
@@ -80791,7 +81076,7 @@ function formatScanOutput(result) {
 }
 
 // src/commands/import.ts
-var fs22 = __toESM(require("fs"));
+var fs21 = __toESM(require("fs"));
 var path35 = __toESM(require("path"));
 init_src();
 async function readStdin() {
@@ -80853,13 +81138,13 @@ function registerImportCommand(program3, deps2) {
         if (opts.stdin) {
           content = await readStdin();
         } else if (source) {
-          if (!fs22.existsSync(source)) {
+          if (!fs21.existsSync(source)) {
             formatter.error(`Source file not found: ${source}`);
             process.exit(2);
             return;
           }
           try {
-            content = fs22.readFileSync(source, "utf-8");
+            content = fs21.readFileSync(source, "utf-8");
             sourcePath = source;
           } catch (err) {
             formatter.error(`Could not read source file: ${err.message}`);
@@ -80947,13 +81232,7 @@ ${result.imported.length} imported, ${result.skipped.length} skipped, ${result.f
           }
         }
       } catch (err) {
-        if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
-          formatter.formatDependencyError(err);
-          process.exit(1);
-          return;
-        }
-        formatter.error(err.message);
-        process.exit(1);
+        handleCommandError(err);
       }
     }
   );
@@ -81012,13 +81291,7 @@ function registerRecipientsCommand(program3, deps2) {
         formatter.recipientItem(r.label || r.preview, r.label ? r.preview : "");
       }
     } catch (err) {
-      if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
-        formatter.formatDependencyError(err);
-        process.exit(1);
-        return;
-      }
-      formatter.error(err.message);
-      process.exit(1);
+      handleCommandError(err);
     }
   });
   recipientsCmd.command("add <key>").description(
@@ -81048,13 +81321,7 @@ function registerRecipientsCommand(program3, deps2) {
         );
       }
     } catch (err) {
-      if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
-        formatter.formatDependencyError(err);
-        process.exit(1);
-        return;
-      }
-      formatter.error(err.message);
-      process.exit(1);
+      handleCommandError(err);
     }
   });
   recipientsCmd.command("remove <key>").description("Remove an age recipient and re-encrypt all files in the matrix.").option("-e, --environment <env>", "Scope removal to a specific environment").action(async (key, opts) => {
@@ -81162,13 +81429,7 @@ ${sym("failure")} Re-encryption failed on ${path36.basename(failedFile)}`
         `git add clef.yaml && git add -A && git commit -m "remove recipient: ${label}${envSuffix}"`
       );
     } catch (err) {
-      if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
-        formatter.formatDependencyError(err);
-        process.exit(1);
-        return;
-      }
-      formatter.error(err.message);
-      process.exit(1);
+      handleCommandError(err);
     }
   });
   recipientsCmd.command("request").description(
@@ -81286,13 +81547,7 @@ ${sym("failure")} Re-encryption failed on ${path36.basename(failedFile)}`
         );
       }
     } catch (err) {
-      if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
-        formatter.formatDependencyError(err);
-        process.exit(1);
-        return;
-      }
-      formatter.error(err.message);
-      process.exit(1);
+      handleCommandError(err);
     }
   });
 }
@@ -81362,14 +81617,14 @@ ${sym("failure")} Re-encryption failed on ${path36.basename(failedFile)}`);
 }
 
 // src/commands/merge-driver.ts
-var fs23 = __toESM(require("fs"));
+var fs22 = __toESM(require("fs"));
 var path37 = __toESM(require("path"));
 init_src();
 async function findRepoRoot(filePath, runner2) {
   try {
     let dir = path37.dirname(path37.resolve(filePath));
     for (let i = 0; i < 50; i++) {
-      if (fs23.existsSync(path37.join(dir, "clef.yaml"))) return dir;
+      if (fs22.existsSync(path37.join(dir, "clef.yaml"))) return dir;
       const parent = path37.dirname(dir);
       if (parent === dir) break;
       dir = parent;
@@ -81402,7 +81657,7 @@ function registerMergeDriverCommand(program3, deps2) {
         const manifestPath = path37.join(repoRoot, "clef.yaml");
         let manifest;
         let environment;
-        if (fs23.existsSync(manifestPath)) {
+        if (fs22.existsSync(manifestPath)) {
           const parser = new ManifestParser();
           manifest = parser.parse(manifestPath);
           for (const ns of manifest.namespaces) {
@@ -81496,40 +81751,7 @@ function registerServiceCommand(program3, deps2) {
         const parser = new ManifestParser();
         const manifest = parser.parse(path38.join(repoRoot, "clef.yaml"));
         const namespaces = opts.namespaces.split(",").map((s) => s.trim());
-        let kmsEnvConfigs;
-        if (opts.kmsEnv.length > 0) {
-          kmsEnvConfigs = {};
-          for (const mapping of opts.kmsEnv) {
-            const eqIdx = mapping.indexOf("=");
-            if (eqIdx === -1) {
-              throw new Error(
-                `Invalid --kms-env format: '${mapping}'. Expected: env=provider:keyId`
-              );
-            }
-            const envName = mapping.slice(0, eqIdx);
-            const rest = mapping.slice(eqIdx + 1);
-            const colonIdx = rest.indexOf(":");
-            if (colonIdx === -1) {
-              throw new Error(
-                `Invalid --kms-env format: '${mapping}'. Expected: env=provider:keyId`
-              );
-            }
-            const provider = rest.slice(0, colonIdx);
-            const keyId = rest.slice(colonIdx + 1);
-            if (!["aws", "gcp", "azure"].includes(provider)) {
-              throw new Error(
-                `Invalid KMS provider '${provider}'. Must be one of: aws, gcp, azure.`
-              );
-            }
-            if (kmsEnvConfigs[envName]) {
-              throw new Error(`Duplicate --kms-env for environment '${envName}'.`);
-            }
-            kmsEnvConfigs[envName] = {
-              provider,
-              keyId
-            };
-          }
-        }
+        const kmsEnvConfigs = opts.kmsEnv.length > 0 ? parseKmsEnvMappings(opts.kmsEnv) : void 0;
         const hasAgeEnvs = !kmsEnvConfigs || manifest.environments.some((e) => !kmsEnvConfigs[e.name]);
         const protectedEnvs = manifest.environments.filter((e) => e.protected).map((e) => e.name);
         if (protectedEnvs.length > 0 && hasAgeEnvs) {
@@ -81594,13 +81816,7 @@ function registerServiceCommand(program3, deps2) {
           `git add clef.yaml && git commit -m "feat: add service identity '${name}'"`
         );
       } catch (err) {
-        if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
-          formatter.formatDependencyError(err);
-          process.exit(1);
-          return;
-        }
-        formatter.error(err.message);
-        process.exit(1);
+        handleCommandError(err);
       }
     }
   );
@@ -81625,13 +81841,7 @@ function registerServiceCommand(program3, deps2) {
       });
       formatter.table(rows, ["Name", "Namespaces", "Environments"]);
     } catch (err) {
-      if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
-        formatter.formatDependencyError(err);
-        process.exit(1);
-        return;
-      }
-      formatter.error(err.message);
-      process.exit(1);
+      handleCommandError(err);
     }
   });
   serviceCmd.command("show <name>").description("Show details of a service identity.").action(async (name) => {
@@ -81664,13 +81874,7 @@ Service Identity: ${identity.name}`);
       }
       formatter.print("");
     } catch (err) {
-      if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
-        formatter.formatDependencyError(err);
-        process.exit(1);
-        return;
-      }
-      formatter.error(err.message);
-      process.exit(1);
+      handleCommandError(err);
     }
   });
   serviceCmd.command("validate").description("Validate service identity configurations and report drift issues.").action(async () => {
@@ -81705,13 +81909,7 @@ Service Identity: ${identity.name}`);
         formatter.warn(`${warnCount} warning(s)`);
       }
     } catch (err) {
-      if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
-        formatter.formatDependencyError(err);
-        process.exit(1);
-        return;
-      }
-      formatter.error(err.message);
-      process.exit(1);
+      handleCommandError(err);
     }
   });
   serviceCmd.command("update <name>").description("Update an existing service identity's environment backends.").option(
@@ -81732,31 +81930,7 @@ Service Identity: ${identity.name}`);
       const repoRoot = program3.opts().dir || process.cwd();
       const parser = new ManifestParser();
       const manifest = parser.parse(path38.join(repoRoot, "clef.yaml"));
-      const kmsEnvConfigs = {};
-      for (const mapping of opts.kmsEnv) {
-        const eqIdx = mapping.indexOf("=");
-        if (eqIdx === -1) {
-          throw new Error(`Invalid --kms-env format: '${mapping}'. Expected: env=provider:keyId`);
-        }
-        const envName = mapping.slice(0, eqIdx);
-        const rest = mapping.slice(eqIdx + 1);
-        const colonIdx = rest.indexOf(":");
-        if (colonIdx === -1) {
-          throw new Error(`Invalid --kms-env format: '${mapping}'. Expected: env=provider:keyId`);
-        }
-        const provider = rest.slice(0, colonIdx);
-        const keyId = rest.slice(colonIdx + 1);
-        if (!["aws", "gcp", "azure"].includes(provider)) {
-          throw new Error(`Invalid KMS provider '${provider}'. Must be one of: aws, gcp, azure.`);
-        }
-        if (kmsEnvConfigs[envName]) {
-          throw new Error(`Duplicate --kms-env for environment '${envName}'.`);
-        }
-        kmsEnvConfigs[envName] = {
-          provider,
-          keyId
-        };
-      }
+      const kmsEnvConfigs = parseKmsEnvMappings(opts.kmsEnv);
       const matrixManager = new MatrixManager();
       const sopsClient = await createSopsClient(repoRoot, deps2.runner);
       const manager = new ServiceIdentityManager(sopsClient, matrixManager);
@@ -81770,13 +81944,7 @@ Service Identity: ${identity.name}`);
         `git add clef.yaml && git commit -m "chore: update service identity '${name}'"`
       );
     } catch (err) {
-      if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
-        formatter.formatDependencyError(err);
-        process.exit(1);
-        return;
-      }
-      formatter.error(err.message);
-      process.exit(1);
+      handleCommandError(err);
     }
   });
   serviceCmd.command("delete <name>").description("Delete a service identity and remove its recipients from scoped files.").action(async (name) => {
@@ -81808,13 +81976,7 @@ Service Identity: ${identity.name}`);
         `git add clef.yaml && git commit -m "chore: delete service identity '${name}'"`
       );
     } catch (err) {
-      if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
-        formatter.formatDependencyError(err);
-        process.exit(1);
-        return;
-      }
-      formatter.error(err.message);
-      process.exit(1);
+      handleCommandError(err);
     }
   });
   serviceCmd.command("rotate <name>").description("Rotate the age key for a service identity.").option("-e, --environment <env>", "Rotate only a specific environment").action(async (name, opts) => {
@@ -81868,11 +82030,6 @@ Service Identity: ${identity.name}`);
         `git add clef.yaml && git commit -m "chore: rotate service identity '${name}'"`
       );
     } catch (err) {
-      if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
-        formatter.formatDependencyError(err);
-        process.exit(1);
-        return;
-      }
       if (err instanceof PartialRotationError) {
         formatter.error(err.message);
         const partialEntries = Object.entries(err.rotatedKeys);
@@ -81905,11 +82062,37 @@ Service Identity: ${identity.name}`);
         process.exit(1);
         return;
       }
-      formatter.error(err.message);
-      process.exit(1);
+      handleCommandError(err);
     }
   });
 }
+function parseKmsEnvMappings(mappings) {
+  const configs = {};
+  for (const mapping of mappings) {
+    const eqIdx = mapping.indexOf("=");
+    if (eqIdx === -1) {
+      throw new Error(`Invalid --kms-env format: '${mapping}'. Expected: env=provider:keyId`);
+    }
+    const envName = mapping.slice(0, eqIdx);
+    const rest = mapping.slice(eqIdx + 1);
+    const colonIdx = rest.indexOf(":");
+    if (colonIdx === -1) {
+      throw new Error(`Invalid --kms-env format: '${mapping}'. Expected: env=provider:keyId`);
+    }
+    const provider = rest.slice(0, colonIdx);
+    const keyId = rest.slice(colonIdx + 1);
+    if (!VALID_KMS_PROVIDERS.includes(provider)) {
+      throw new Error(
+        `Invalid KMS provider '${provider}'. Must be one of: ${VALID_KMS_PROVIDERS.join(", ")}.`
+      );
+    }
+    if (configs[envName]) {
+      throw new Error(`Duplicate --kms-env for environment '${envName}'.`);
+    }
+    configs[envName] = { provider, keyId };
+  }
+  return configs;
+}
 
 // src/commands/pack.ts
 var path39 = __toESM(require("path"));
@@ -81983,21 +82166,14 @@ function registerPackCommand(program3, deps2) {
           "\nUpload the artifact to an HTTP-accessible store (S3, GCS, etc.) or commit to\n  .clef/packed/ for VCS-based delivery. See: clef.sh/guide/service-identities"
         );
       } catch (err) {
-        if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
-          formatter.formatDependencyError(err);
-          process.exit(1);
-          return;
-        }
-        const message = err instanceof Error ? err.message : "Pack failed";
-        formatter.error(message);
-        process.exit(1);
+        handleCommandError(err);
       }
     }
   );
 }
 
 // src/commands/revoke.ts
-var fs24 = __toESM(require("fs"));
+var fs23 = __toESM(require("fs"));
 var path40 = __toESM(require("path"));
 init_src();
 function registerRevokeCommand(program3, _deps) {
@@ -82031,8 +82207,8 @@ function registerRevokeCommand(program3, _deps) {
         environment,
         revokedAt: (/* @__PURE__ */ new Date()).toISOString()
       };
-      fs24.mkdirSync(artifactDir, { recursive: true });
-      fs24.writeFileSync(artifactPath, JSON.stringify(revoked, null, 2) + "\n", "utf-8");
+      fs23.mkdirSync(artifactDir, { recursive: true });
+      fs23.writeFileSync(artifactPath, JSON.stringify(revoked, null, 2) + "\n", "utf-8");
       const relPath = path40.relative(repoRoot, artifactPath);
       formatter.success(`Artifact revoked: ${relPath}`);
       formatter.print("");
@@ -82134,12 +82310,12 @@ var import_picocolors6 = __toESM(require_picocolors());
 init_src();
 
 // src/report/historical.ts
-var os2 = __toESM(require("os"));
+var os3 = __toESM(require("os"));
 var path42 = __toESM(require("path"));
-var fs25 = __toESM(require("fs"));
+var fs24 = __toESM(require("fs"));
 init_src();
 async function generateReportAtCommit(repoRoot, commitSha, clefVersion, runner2) {
-  const tmpDir = path42.join(os2.tmpdir(), `clef-report-${commitSha.slice(0, 8)}-${Date.now()}`);
+  const tmpDir = path42.join(os3.tmpdir(), `clef-report-${commitSha.slice(0, 8)}-${Date.now()}`);
   try {
     const addResult = await runner2.run("git", ["worktree", "add", tmpDir, commitSha, "--detach"], {
       cwd: repoRoot
@@ -82157,7 +82333,7 @@ async function generateReportAtCommit(repoRoot, commitSha, clefVersion, runner2)
       await runner2.run("git", ["worktree", "remove", tmpDir, "--force"], { cwd: repoRoot });
     } catch {
       try {
-        fs25.rmSync(tmpDir, { recursive: true, force: true });
+        fs24.rmSync(tmpDir, { recursive: true, force: true });
         await runner2.run("git", ["worktree", "prune"], { cwd: repoRoot });
       } catch {
       }
@@ -82247,13 +82423,7 @@ function registerReportCommand(program3, deps2) {
         }
         outputReport(headReport, options);
       } catch (err) {
-        if (err instanceof SopsMissingError || err instanceof SopsVersionError) {
-          formatter.formatDependencyError(err);
-          process.exit(1);
-          return;
-        }
-        formatter.error(err.message);
-        process.exit(1);
+        handleCommandError(err);
       }
     }
   );
@@ -82384,7 +82554,7 @@ function formatReportOutput(report) {
 }
 
 // src/commands/install.ts
-var fs26 = __toESM(require("fs"));
+var fs25 = __toESM(require("fs"));
 var path43 = __toESM(require("path"));
 var import_yaml = __toESM(require_dist());
 
@@ -82434,7 +82604,7 @@ function registerInstallCommand(program3, _deps) {
         return;
       }
       const brokerDir = path43.join(repoRoot, "brokers", entry.name);
-      if (fs26.existsSync(brokerDir) && !options.force) {
+      if (fs25.existsSync(brokerDir) && !options.force) {
         const overwrite = await formatter.confirm(
           `brokers/${entry.name}/ already exists. Overwrite?`
         );
@@ -82465,11 +82635,11 @@ function registerInstallCommand(program3, _deps) {
         process.exit(1);
         return;
       }
-      if (!fs26.existsSync(brokerDir)) {
-        fs26.mkdirSync(brokerDir, { recursive: true });
+      if (!fs25.existsSync(brokerDir)) {
+        fs25.mkdirSync(brokerDir, { recursive: true });
       }
       for (const file of files) {
-        fs26.writeFileSync(path43.join(brokerDir, file.name), file.content, "utf-8");
+        fs25.writeFileSync(path43.join(brokerDir, file.name), file.content, "utf-8");
       }
       const manifestFile = files.find((f) => f.name === "broker.yaml");
       const manifest = manifestFile ? (0, import_yaml.parse)(manifestFile.content) : {};