@clef-sh/client 0.1.2-beta.92

package/README.md

@@ -0,0 +1,58 @@
+# @clef-sh/client
+
+Lightweight SDK for consuming [Clef](https://clef.sh) secrets at runtime. Zero dependencies.
+
+## Install
+
+```bash
+npm install @clef-sh/client
+```
+
+## App SDK
+
+Read secrets from a `clef serve` endpoint (or Clef Cloud). Falls back to environment variables.
+
+```typescript
+import { ClefClient } from "@clef-sh/client";
+
+const secrets = new ClefClient();
+
+const dbUrl = await secrets.get("DB_URL");
+const all = await secrets.getAll();
+const keyNames = await secrets.keys();
+const isUp = await secrets.health();
+```
+
+### Configuration
+
+| Option        | Env var              | Default                 | Description                                   |
+| ------------- | -------------------- | ----------------------- | --------------------------------------------- |
+| `endpoint`    | `CLEF_ENDPOINT`      | `http://127.0.0.1:7779` | Serve endpoint URL                            |
+| `token`       | `CLEF_SERVICE_TOKEN` | —                       | Bearer token for authentication               |
+| `envFallback` | —                    | `true`                  | Fall back to `process.env` when key not found |
+| `cacheTtlMs`  | —                    | `0`                     | In-memory cache TTL (0 = no caching)          |
+
+## Cloud KMS Provider
+
+For `@clef-sh/runtime` integration — decrypts artifacts encrypted with Clef Cloud's managed KMS.
+
+```typescript
+import { CloudKmsProvider } from "@clef-sh/client/kms";
+
+const kms = new CloudKmsProvider({
+  endpoint: "https://api.clef.sh",
+  token: process.env.CLEF_SERVICE_TOKEN,
+});
+```
+
+The runtime uses this automatically when a packed artifact specifies the `cloud` KMS provider.
+
+## Documentation
+
+- [Runtime Agent guide](https://docs.clef.sh/guide/agent)
+- [Clef Cloud guide](https://docs.clef.sh/guide/cloud)
+- [API reference](https://docs.clef.sh/api/)
+
+## License
+
+MIT

package/dist/auth.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Resolve a service token from an explicit value or CLEF_SERVICE_TOKEN env var.
+ */
+export declare function resolveToken(explicit?: string): string;
+/**
+ * Resolve the serve endpoint from an explicit value or CLEF_ENDPOINT env var.
+ */
+export declare function resolveEndpoint(explicit?: string): string;
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAEA;;GAEG;AACH,wBAAgB,YAAY,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,CAYtD;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,CAQzD"}

package/dist/clef-client.d.ts

@@ -0,0 +1,28 @@
+import { ClefClientOptions } from "./types";
+/**
+ * Lightweight client for consuming Clef secrets from a serve endpoint.
+ *
+ * ```typescript
+ * const secrets = new ClefClient();
+ * const dbUrl = await secrets.get("DB_URL");
+ * ```
+ */
+export declare class ClefClient {
+    private readonly endpoint;
+    private readonly token;
+    private readonly envFallback;
+    private readonly cacheTtlMs;
+    private readonly fetchFn;
+    private cache;
+    constructor(options?: ClefClientOptions);
+    /** Get a single secret by key. Falls back to env var if configured. */
+    get(key: string): Promise<string | undefined>;
+    /** Get all secrets as a key-value map. */
+    getAll(): Promise<Record<string, string>>;
+    /** List available key names. */
+    keys(): Promise<string[]>;
+    /** Check if the serve endpoint is reachable. */
+    health(): Promise<boolean>;
+    private fetchSecrets;
+}
+//# sourceMappingURL=clef-client.d.ts.map

package/dist/clef-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"clef-client.d.ts","sourceRoot":"","sources":["../src/clef-client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAC;AAS5C;;;;;;;GAOG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAS;IAC/B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAU;IACtC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAA0B;IAClD,OAAO,CAAC,KAAK,CAA2B;gBAE5B,OAAO,CAAC,EAAE,iBAAiB;IAQvC,uEAAuE;IACjE,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAYnD,0CAA0C;IACpC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAI/C,gCAAgC;IAC1B,IAAI,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAK/B,gDAAgD;IAC1C,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC;YASlB,YAAY;CAqB3B"}

package/dist/cloud-kms-provider.d.ts

@@ -0,0 +1,21 @@
+import { CloudKmsProviderOptions } from "./types";
+/**
+ * Clef Cloud KMS provider.
+ *
+ * Implements the KmsProvider interface (structurally — no import needed)
+ * for use with @clef-sh/runtime's createKmsProvider factory.
+ *
+ * Only `unwrap()` is supported. Encryption (wrap) is handled by the
+ * keyservice sidecar during `clef pack`.
+ */
+export declare class CloudKmsProvider {
+    private readonly endpoint;
+    private readonly token;
+    constructor(options: CloudKmsProviderOptions);
+    wrap(_keyId: string, _plaintext: Buffer): Promise<{
+        wrappedKey: Buffer;
+        algorithm: string;
+    }>;
+    unwrap(keyId: string, wrappedKey: Buffer, _algorithm: string): Promise<Buffer>;
+}
+//# sourceMappingURL=cloud-kms-provider.d.ts.map

package/dist/cloud-kms-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cloud-kms-provider.d.ts","sourceRoot":"","sources":["../src/cloud-kms-provider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,uBAAuB,EAAmB,MAAM,SAAS,CAAC;AAInE;;;;;;;;GAQG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAS;gBAEnB,OAAO,EAAE,uBAAuB;IAKtC,IAAI,CACR,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;IAM/C,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;CAcrF"}

package/dist/http.d.ts

@@ -0,0 +1,14 @@
+interface RequestOptions {
+    method: "GET" | "POST";
+    path: string;
+    body?: unknown;
+    token: string;
+    fetchFn: typeof globalThis.fetch;
+}
+/**
+ * Make an authenticated HTTP request to a Clef endpoint.
+ * Handles the { data, success, message } envelope and retries once on 5xx.
+ */
+export declare function request<T>(baseUrl: string, opts: RequestOptions): Promise<T>;
+export {};
+//# sourceMappingURL=http.d.ts.map

package/dist/http.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../src/http.ts"],"names":[],"mappings":"AAEA,UAAU,cAAc;IACtB,MAAM,EAAE,KAAK,GAAG,MAAM,CAAC;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,OAAO,UAAU,CAAC,KAAK,CAAC;CAClC;AAED;;;GAGG;AACH,wBAAsB,OAAO,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,cAAc,GAAG,OAAO,CAAC,CAAC,CAAC,CAgElF"}

package/dist/index.d.mts

@@ -0,0 +1,4 @@
+export { ClefClient } from "./clef-client";
+export { ClefClientError } from "./types";
+export type { ClefClientOptions } from "./types";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts

@@ -0,0 +1,4 @@
+export { ClefClient } from "./clef-client";
+export { ClefClientError } from "./types";
+export type { ClefClientOptions } from "./types";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAC1C,YAAY,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAC"}

package/dist/index.js

@@ -0,0 +1,177 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  ClefClient: () => ClefClient,
+  ClefClientError: () => ClefClientError
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/types.ts
+var ClefClientError = class extends Error {
+  constructor(message, statusCode, fix) {
+    super(message);
+    this.statusCode = statusCode;
+    this.fix = fix;
+    this.name = "ClefClientError";
+  }
+  statusCode;
+  fix;
+};
+
+// src/auth.ts
+function resolveToken(explicit) {
+  if (explicit) return explicit;
+  if (typeof process !== "undefined" && process.env?.CLEF_SERVICE_TOKEN) {
+    return process.env.CLEF_SERVICE_TOKEN;
+  }
+  throw new ClefClientError(
+    "No service token configured",
+    void 0,
+    "Set CLEF_SERVICE_TOKEN or pass token in options."
+  );
+}
+function resolveEndpoint(explicit) {
+  if (explicit) return explicit;
+  if (typeof process !== "undefined" && process.env?.CLEF_ENDPOINT) {
+    return process.env.CLEF_ENDPOINT;
+  }
+  return "http://127.0.0.1:7779";
+}
+
+// src/http.ts
+async function request(baseUrl, opts) {
+  const url = `${baseUrl}${opts.path}`;
+  const headers = {
+    Authorization: `Bearer ${opts.token}`,
+    Accept: "application/json"
+  };
+  if (opts.body !== void 0) {
+    headers["Content-Type"] = "application/json";
+  }
+  const init = {
+    method: opts.method,
+    headers,
+    body: opts.body !== void 0 ? JSON.stringify(opts.body) : void 0
+  };
+  let response;
+  try {
+    response = await opts.fetchFn(url, init);
+  } catch (err) {
+    try {
+      response = await opts.fetchFn(url, init);
+    } catch {
+      throw new ClefClientError(
+        `Connection failed: ${err.message}`,
+        void 0,
+        "Is the endpoint reachable? Check your CLEF_ENDPOINT setting."
+      );
+    }
+  }
+  if (response.status >= 500) {
+    response = await opts.fetchFn(url, init);
+  }
+  if (response.status === 401) {
+    throw new ClefClientError("Authentication failed", 401, "Check your CLEF_SERVICE_TOKEN.");
+  }
+  if (response.status === 503) {
+    throw new ClefClientError("Secrets expired or not loaded", 503, "Check the agent logs.");
+  }
+  if (!response.ok) {
+    const text = await response.text().catch(() => "");
+    throw new ClefClientError(
+      `HTTP ${response.status}: ${text || response.statusText}`,
+      response.status
+    );
+  }
+  const json = await response.json();
+  if (json && typeof json === "object" && "success" in json) {
+    if (!json.success) {
+      throw new ClefClientError(json.message || "Request failed", response.status);
+    }
+    return json.data;
+  }
+  return json;
+}
+
+// src/clef-client.ts
+var ClefClient = class {
+  endpoint;
+  token;
+  envFallback;
+  cacheTtlMs;
+  fetchFn;
+  cache = null;
+  constructor(options) {
+    this.endpoint = resolveEndpoint(options?.endpoint);
+    this.token = resolveToken(options?.token);
+    this.envFallback = options?.envFallback ?? true;
+    this.cacheTtlMs = options?.cacheTtlMs ?? 0;
+    this.fetchFn = options?.fetch ?? globalThis.fetch;
+  }
+  /** Get a single secret by key. Falls back to env var if configured. */
+  async get(key) {
+    const all = await this.fetchSecrets();
+    const value = all[key];
+    if (value !== void 0) return value;
+    if (this.envFallback && typeof process !== "undefined") {
+      return process.env[key];
+    }
+    return void 0;
+  }
+  /** Get all secrets as a key-value map. */
+  async getAll() {
+    return this.fetchSecrets();
+  }
+  /** List available key names. */
+  async keys() {
+    const all = await this.fetchSecrets();
+    return Object.keys(all);
+  }
+  /** Check if the serve endpoint is reachable. */
+  async health() {
+    try {
+      const response = await this.fetchFn(`${this.endpoint}/v1/health`);
+      return response.ok;
+    } catch {
+      return false;
+    }
+  }
+  async fetchSecrets() {
+    if (this.cacheTtlMs > 0 && this.cache) {
+      const age = Date.now() - this.cache.fetchedAt;
+      if (age < this.cacheTtlMs) {
+        return this.cache.secrets;
+      }
+    }
+    const secrets = await request(this.endpoint, {
+      method: "GET",
+      path: "/v1/secrets",
+      token: this.token,
+      fetchFn: this.fetchFn
+    });
+    if (this.cacheTtlMs > 0) {
+      this.cache = { secrets, fetchedAt: Date.now() };
+    }
+    return secrets;
+  }
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/index.ts", "../src/types.ts", "../src/auth.ts", "../src/http.ts", "../src/clef-client.ts"],
+  "sourcesContent": ["export { ClefClient } from \"./clef-client\";\nexport { ClefClientError } from \"./types\";\nexport type { ClefClientOptions } from \"./types\";\n", "/** Configuration for the ClefClient app SDK. */\nexport interface ClefClientOptions {\n  /** Base URL of the clef serve endpoint. Default: http://127.0.0.1:7779 */\n  endpoint?: string;\n  /** Bearer token for authentication. Falls back to CLEF_SERVICE_TOKEN env var. */\n  token?: string;\n  /** Fall back to process.env when a key is not found. Default: true */\n  envFallback?: boolean;\n  /** In-memory cache TTL in milliseconds. 0 = no caching. Default: 0 */\n  cacheTtlMs?: number;\n  /** Custom fetch implementation (for testing or edge runtimes). */\n  fetch?: typeof globalThis.fetch;\n}\n\n/** Configuration for the Cloud KMS provider. */\nexport interface CloudKmsProviderOptions {\n  /** Clef Cloud API endpoint. Falls back to CLEF_ENDPOINT env var. */\n  endpoint: string;\n  /** Bearer token for Cloud API auth. Falls back to CLEF_SERVICE_TOKEN env var. */\n  token?: string;\n}\n\n/** Error thrown by ClefClient and CloudKmsProvider. */\nexport class ClefClientError extends Error {\n  constructor(\n    message: string,\n    public readonly statusCode?: number,\n    public readonly fix?: string,\n  ) {\n    super(message);\n    this.name = \"ClefClientError\";\n  }\n}\n", "import { ClefClientError } from \"./types\";\n\n/**\n * Resolve a service token from an explicit value or CLEF_SERVICE_TOKEN env var.\n */\nexport function resolveToken(explicit?: string): string {\n  if (explicit) return explicit;\n\n  if (typeof process !== \"undefined\" && process.env?.CLEF_SERVICE_TOKEN) {\n    return process.env.CLEF_SERVICE_TOKEN;\n  }\n\n  throw new ClefClientError(\n    \"No service token configured\",\n    undefined,\n    \"Set CLEF_SERVICE_TOKEN or pass token in options.\",\n  );\n}\n\n/**\n * Resolve the serve endpoint from an explicit value or CLEF_ENDPOINT env var.\n */\nexport function resolveEndpoint(explicit?: string): string {\n  if (explicit) return explicit;\n\n  if (typeof process !== \"undefined\" && process.env?.CLEF_ENDPOINT) {\n    return process.env.CLEF_ENDPOINT;\n  }\n\n  return \"http://127.0.0.1:7779\";\n}\n", "import { ClefClientError } from \"./types\";\n\ninterface RequestOptions {\n  method: \"GET\" | \"POST\";\n  path: string;\n  body?: unknown;\n  token: string;\n  fetchFn: typeof globalThis.fetch;\n}\n\n/**\n * Make an authenticated HTTP request to a Clef endpoint.\n * Handles the { data, success, message } envelope and retries once on 5xx.\n */\nexport async function request<T>(baseUrl: string, opts: RequestOptions): Promise<T> {\n  const url = `${baseUrl}${opts.path}`;\n  const headers: Record<string, string> = {\n    Authorization: `Bearer ${opts.token}`,\n    Accept: \"application/json\",\n  };\n  if (opts.body !== undefined) {\n    headers[\"Content-Type\"] = \"application/json\";\n  }\n\n  const init: RequestInit = {\n    method: opts.method,\n    headers,\n    body: opts.body !== undefined ? JSON.stringify(opts.body) : undefined,\n  };\n\n  let response: Response;\n  try {\n    response = await opts.fetchFn(url, init);\n  } catch (err) {\n    // Retry once on network error\n    try {\n      response = await opts.fetchFn(url, init);\n    } catch {\n      throw new ClefClientError(\n        `Connection failed: ${(err as Error).message}`,\n        undefined,\n        \"Is the endpoint reachable? Check your CLEF_ENDPOINT setting.\",\n      );\n    }\n  }\n\n  // Retry once on 5xx\n  if (response.status >= 500) {\n    response = await opts.fetchFn(url, init);\n  }\n\n  if (response.status === 401) {\n    throw new ClefClientError(\"Authentication failed\", 401, \"Check your CLEF_SERVICE_TOKEN.\");\n  }\n\n  if (response.status === 503) {\n    throw new ClefClientError(\"Secrets expired or not loaded\", 503, \"Check the agent logs.\");\n  }\n\n  if (!response.ok) {\n    const text = await response.text().catch(() => \"\");\n    throw new ClefClientError(\n      `HTTP ${response.status}: ${text || response.statusText}`,\n      response.status,\n    );\n  }\n\n  const json = await response.json();\n\n  // Unwrap { data, success, message } envelope if present\n  if (json && typeof json === \"object\" && \"success\" in json) {\n    if (!json.success) {\n      throw new ClefClientError(json.message || \"Request failed\", response.status);\n    }\n    return json.data as T;\n  }\n\n  return json as T;\n}\n", "import { ClefClientOptions } from \"./types\";\nimport { resolveToken, resolveEndpoint } from \"./auth\";\nimport { request } from \"./http\";\n\ninterface CacheEntry {\n  secrets: Record<string, string>;\n  fetchedAt: number;\n}\n\n/**\n * Lightweight client for consuming Clef secrets from a serve endpoint.\n *\n * ```typescript\n * const secrets = new ClefClient();\n * const dbUrl = await secrets.get(\"DB_URL\");\n * ```\n */\nexport class ClefClient {\n  private readonly endpoint: string;\n  private readonly token: string;\n  private readonly envFallback: boolean;\n  private readonly cacheTtlMs: number;\n  private readonly fetchFn: typeof globalThis.fetch;\n  private cache: CacheEntry | null = null;\n\n  constructor(options?: ClefClientOptions) {\n    this.endpoint = resolveEndpoint(options?.endpoint);\n    this.token = resolveToken(options?.token);\n    this.envFallback = options?.envFallback ?? true;\n    this.cacheTtlMs = options?.cacheTtlMs ?? 0;\n    this.fetchFn = options?.fetch ?? globalThis.fetch;\n  }\n\n  /** Get a single secret by key. Falls back to env var if configured. */\n  async get(key: string): Promise<string | undefined> {\n    const all = await this.fetchSecrets();\n    const value = all[key];\n    if (value !== undefined) return value;\n\n    if (this.envFallback && typeof process !== \"undefined\") {\n      return process.env[key];\n    }\n\n    return undefined;\n  }\n\n  /** Get all secrets as a key-value map. */\n  async getAll(): Promise<Record<string, string>> {\n    return this.fetchSecrets();\n  }\n\n  /** List available key names. */\n  async keys(): Promise<string[]> {\n    const all = await this.fetchSecrets();\n    return Object.keys(all);\n  }\n\n  /** Check if the serve endpoint is reachable. */\n  async health(): Promise<boolean> {\n    try {\n      const response = await this.fetchFn(`${this.endpoint}/v1/health`);\n      return response.ok;\n    } catch {\n      return false;\n    }\n  }\n\n  private async fetchSecrets(): Promise<Record<string, string>> {\n    if (this.cacheTtlMs > 0 && this.cache) {\n      const age = Date.now() - this.cache.fetchedAt;\n      if (age < this.cacheTtlMs) {\n        return this.cache.secrets;\n      }\n    }\n\n    const secrets = await request<Record<string, string>>(this.endpoint, {\n      method: \"GET\",\n      path: \"/v1/secrets\",\n      token: this.token,\n      fetchFn: this.fetchFn,\n    });\n\n    if (this.cacheTtlMs > 0) {\n      this.cache = { secrets, fetchedAt: Date.now() };\n    }\n\n    return secrets;\n  }\n}\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACuBO,IAAM,kBAAN,cAA8B,MAAM;AAAA,EACzC,YACE,SACgB,YACA,KAChB;AACA,UAAM,OAAO;AAHG;AACA;AAGhB,SAAK,OAAO;AAAA,EACd;AAAA,EALkB;AAAA,EACA;AAKpB;;;AC3BO,SAAS,aAAa,UAA2B;AACtD,MAAI,SAAU,QAAO;AAErB,MAAI,OAAO,YAAY,eAAe,QAAQ,KAAK,oBAAoB;AACrE,WAAO,QAAQ,IAAI;AAAA,EACrB;AAEA,QAAM,IAAI;AAAA,IACR;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAKO,SAAS,gBAAgB,UAA2B;AACzD,MAAI,SAAU,QAAO;AAErB,MAAI,OAAO,YAAY,eAAe,QAAQ,KAAK,eAAe;AAChE,WAAO,QAAQ,IAAI;AAAA,EACrB;AAEA,SAAO;AACT;;;AChBA,eAAsB,QAAW,SAAiB,MAAkC;AAClF,QAAM,MAAM,GAAG,OAAO,GAAG,KAAK,IAAI;AAClC,QAAM,UAAkC;AAAA,IACtC,eAAe,UAAU,KAAK,KAAK;AAAA,IACnC,QAAQ;AAAA,EACV;AACA,MAAI,KAAK,SAAS,QAAW;AAC3B,YAAQ,cAAc,IAAI;AAAA,EAC5B;AAEA,QAAM,OAAoB;AAAA,IACxB,QAAQ,KAAK;AAAA,IACb;AAAA,IACA,MAAM,KAAK,SAAS,SAAY,KAAK,UAAU,KAAK,IAAI,IAAI;AAAA,EAC9D;AAEA,MAAI;AACJ,MAAI;AACF,eAAW,MAAM,KAAK,QAAQ,KAAK,IAAI;AAAA,EACzC,SAAS,KAAK;AAEZ,QAAI;AACF,iBAAW,MAAM,KAAK,QAAQ,KAAK,IAAI;AAAA,IACzC,QAAQ;AACN,YAAM,IAAI;AAAA,QACR,sBAAuB,IAAc,OAAO;AAAA,QAC5C;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAGA,MAAI,SAAS,UAAU,KAAK;AAC1B,eAAW,MAAM,KAAK,QAAQ,KAAK,IAAI;AAAA,EACzC;AAEA,MAAI,SAAS,WAAW,KAAK;AAC3B,UAAM,IAAI,gBAAgB,yBAAyB,KAAK,gCAAgC;AAAA,EAC1F;AAEA,MAAI,SAAS,WAAW,KAAK;AAC3B,UAAM,IAAI,gBAAgB,iCAAiC,KAAK,uBAAuB;AAAA,EACzF;AAEA,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,OAAO,MAAM,SAAS,KAAK,EAAE,MAAM,MAAM,EAAE;AACjD,UAAM,IAAI;AAAA,MACR,QAAQ,SAAS,MAAM,KAAK,QAAQ,SAAS,UAAU;AAAA,MACvD,SAAS;AAAA,IACX;AAAA,EACF;AAEA,QAAM,OAAO,MAAM,SAAS,KAAK;AAGjC,MAAI,QAAQ,OAAO,SAAS,YAAY,aAAa,MAAM;AACzD,QAAI,CAAC,KAAK,SAAS;AACjB,YAAM,IAAI,gBAAgB,KAAK,WAAW,kBAAkB,SAAS,MAAM;AAAA,IAC7E;AACA,WAAO,KAAK;AAAA,EACd;AAEA,SAAO;AACT;;;AC7DO,IAAM,aAAN,MAAiB;AAAA,EACL;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACT,QAA2B;AAAA,EAEnC,YAAY,SAA6B;AACvC,SAAK,WAAW,gBAAgB,SAAS,QAAQ;AACjD,SAAK,QAAQ,aAAa,SAAS,KAAK;AACxC,SAAK,cAAc,SAAS,eAAe;AAC3C,SAAK,aAAa,SAAS,cAAc;AACzC,SAAK,UAAU,SAAS,SAAS,WAAW;AAAA,EAC9C;AAAA;AAAA,EAGA,MAAM,IAAI,KAA0C;AAClD,UAAM,MAAM,MAAM,KAAK,aAAa;AACpC,UAAM,QAAQ,IAAI,GAAG;AACrB,QAAI,UAAU,OAAW,QAAO;AAEhC,QAAI,KAAK,eAAe,OAAO,YAAY,aAAa;AACtD,aAAO,QAAQ,IAAI,GAAG;AAAA,IACxB;AAEA,WAAO;AAAA,EACT;AAAA;AAAA,EAGA,MAAM,SAA0C;AAC9C,WAAO,KAAK,aAAa;AAAA,EAC3B;AAAA;AAAA,EAGA,MAAM,OAA0B;AAC9B,UAAM,MAAM,MAAM,KAAK,aAAa;AACpC,WAAO,OAAO,KAAK,GAAG;AAAA,EACxB;AAAA;AAAA,EAGA,MAAM,SAA2B;AAC/B,QAAI;AACF,YAAM,WAAW,MAAM,KAAK,QAAQ,GAAG,KAAK,QAAQ,YAAY;AAChE,aAAO,SAAS;AAAA,IAClB,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAc,eAAgD;AAC5D,QAAI,KAAK,aAAa,KAAK,KAAK,OAAO;AACrC,YAAM,MAAM,KAAK,IAAI,IAAI,KAAK,MAAM;AACpC,UAAI,MAAM,KAAK,YAAY;AACzB,eAAO,KAAK,MAAM;AAAA,MACpB;AAAA,IACF;AAEA,UAAM,UAAU,MAAM,QAAgC,KAAK,UAAU;AAAA,MACnE,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,OAAO,KAAK;AAAA,MACZ,SAAS,KAAK;AAAA,IAChB,CAAC;AAED,QAAI,KAAK,aAAa,GAAG;AACvB,WAAK,QAAQ,EAAE,SAAS,WAAW,KAAK,IAAI,EAAE;AAAA,IAChD;AAEA,WAAO;AAAA,EACT;AACF;",
+  "names": []
+}

package/dist/index.mjs

@@ -0,0 +1,154 @@
+// src/types.ts
+var ClefClientError = class extends Error {
+  constructor(message, statusCode, fix) {
+    super(message);
+    this.statusCode = statusCode;
+    this.fix = fix;
+    this.name = "ClefClientError";
+  }
+  statusCode;
+  fix;
+};
+
+// src/auth.ts
+function resolveToken(explicit) {
+  if (explicit) return explicit;
+  if (typeof process !== "undefined" && process.env?.CLEF_SERVICE_TOKEN) {
+    return process.env.CLEF_SERVICE_TOKEN;
+  }
+  throw new ClefClientError(
+    "No service token configured",
+    void 0,
+    "Set CLEF_SERVICE_TOKEN or pass token in options."
+  );
+}
+function resolveEndpoint(explicit) {
+  if (explicit) return explicit;
+  if (typeof process !== "undefined" && process.env?.CLEF_ENDPOINT) {
+    return process.env.CLEF_ENDPOINT;
+  }
+  return "http://127.0.0.1:7779";
+}
+
+// src/http.ts
+async function request(baseUrl, opts) {
+  const url = `${baseUrl}${opts.path}`;
+  const headers = {
+    Authorization: `Bearer ${opts.token}`,
+    Accept: "application/json"
+  };
+  if (opts.body !== void 0) {
+    headers["Content-Type"] = "application/json";
+  }
+  const init = {
+    method: opts.method,
+    headers,
+    body: opts.body !== void 0 ? JSON.stringify(opts.body) : void 0
+  };
+  let response;
+  try {
+    response = await opts.fetchFn(url, init);
+  } catch (err) {
+    try {
+      response = await opts.fetchFn(url, init);
+    } catch {
+      throw new ClefClientError(
+        `Connection failed: ${err.message}`,
+        void 0,
+        "Is the endpoint reachable? Check your CLEF_ENDPOINT setting."
+      );
+    }
+  }
+  if (response.status >= 500) {
+    response = await opts.fetchFn(url, init);
+  }
+  if (response.status === 401) {
+    throw new ClefClientError("Authentication failed", 401, "Check your CLEF_SERVICE_TOKEN.");
+  }
+  if (response.status === 503) {
+    throw new ClefClientError("Secrets expired or not loaded", 503, "Check the agent logs.");
+  }
+  if (!response.ok) {
+    const text = await response.text().catch(() => "");
+    throw new ClefClientError(
+      `HTTP ${response.status}: ${text || response.statusText}`,
+      response.status
+    );
+  }
+  const json = await response.json();
+  if (json && typeof json === "object" && "success" in json) {
+    if (!json.success) {
+      throw new ClefClientError(json.message || "Request failed", response.status);
+    }
+    return json.data;
+  }
+  return json;
+}
+
+// src/clef-client.ts
+var ClefClient = class {
+  endpoint;
+  token;
+  envFallback;
+  cacheTtlMs;
+  fetchFn;
+  cache = null;
+  constructor(options) {
+    this.endpoint = resolveEndpoint(options?.endpoint);
+    this.token = resolveToken(options?.token);
+    this.envFallback = options?.envFallback ?? true;
+    this.cacheTtlMs = options?.cacheTtlMs ?? 0;
+    this.fetchFn = options?.fetch ?? globalThis.fetch;
+  }
+  /** Get a single secret by key. Falls back to env var if configured. */
+  async get(key) {
+    const all = await this.fetchSecrets();
+    const value = all[key];
+    if (value !== void 0) return value;
+    if (this.envFallback && typeof process !== "undefined") {
+      return process.env[key];
+    }
+    return void 0;
+  }
+  /** Get all secrets as a key-value map. */
+  async getAll() {
+    return this.fetchSecrets();
+  }
+  /** List available key names. */
+  async keys() {
+    const all = await this.fetchSecrets();
+    return Object.keys(all);
+  }
+  /** Check if the serve endpoint is reachable. */
+  async health() {
+    try {
+      const response = await this.fetchFn(`${this.endpoint}/v1/health`);
+      return response.ok;
+    } catch {
+      return false;
+    }
+  }
+  async fetchSecrets() {
+    if (this.cacheTtlMs > 0 && this.cache) {
+      const age = Date.now() - this.cache.fetchedAt;
+      if (age < this.cacheTtlMs) {
+        return this.cache.secrets;
+      }
+    }
+    const secrets = await request(this.endpoint, {
+      method: "GET",
+      path: "/v1/secrets",
+      token: this.token,
+      fetchFn: this.fetchFn
+    });
+    if (this.cacheTtlMs > 0) {
+      this.cache = { secrets, fetchedAt: Date.now() };
+    }
+    return secrets;
+  }
+};
+export {
+  ClefClient,
+  ClefClientError
+};
+//# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/types.ts", "../src/auth.ts", "../src/http.ts", "../src/clef-client.ts"],
+  "sourcesContent": ["/** Configuration for the ClefClient app SDK. */\nexport interface ClefClientOptions {\n  /** Base URL of the clef serve endpoint. Default: http://127.0.0.1:7779 */\n  endpoint?: string;\n  /** Bearer token for authentication. Falls back to CLEF_SERVICE_TOKEN env var. */\n  token?: string;\n  /** Fall back to process.env when a key is not found. Default: true */\n  envFallback?: boolean;\n  /** In-memory cache TTL in milliseconds. 0 = no caching. Default: 0 */\n  cacheTtlMs?: number;\n  /** Custom fetch implementation (for testing or edge runtimes). */\n  fetch?: typeof globalThis.fetch;\n}\n\n/** Configuration for the Cloud KMS provider. */\nexport interface CloudKmsProviderOptions {\n  /** Clef Cloud API endpoint. Falls back to CLEF_ENDPOINT env var. */\n  endpoint: string;\n  /** Bearer token for Cloud API auth. Falls back to CLEF_SERVICE_TOKEN env var. */\n  token?: string;\n}\n\n/** Error thrown by ClefClient and CloudKmsProvider. */\nexport class ClefClientError extends Error {\n  constructor(\n    message: string,\n    public readonly statusCode?: number,\n    public readonly fix?: string,\n  ) {\n    super(message);\n    this.name = \"ClefClientError\";\n  }\n}\n", "import { ClefClientError } from \"./types\";\n\n/**\n * Resolve a service token from an explicit value or CLEF_SERVICE_TOKEN env var.\n */\nexport function resolveToken(explicit?: string): string {\n  if (explicit) return explicit;\n\n  if (typeof process !== \"undefined\" && process.env?.CLEF_SERVICE_TOKEN) {\n    return process.env.CLEF_SERVICE_TOKEN;\n  }\n\n  throw new ClefClientError(\n    \"No service token configured\",\n    undefined,\n    \"Set CLEF_SERVICE_TOKEN or pass token in options.\",\n  );\n}\n\n/**\n * Resolve the serve endpoint from an explicit value or CLEF_ENDPOINT env var.\n */\nexport function resolveEndpoint(explicit?: string): string {\n  if (explicit) return explicit;\n\n  if (typeof process !== \"undefined\" && process.env?.CLEF_ENDPOINT) {\n    return process.env.CLEF_ENDPOINT;\n  }\n\n  return \"http://127.0.0.1:7779\";\n}\n", "import { ClefClientError } from \"./types\";\n\ninterface RequestOptions {\n  method: \"GET\" | \"POST\";\n  path: string;\n  body?: unknown;\n  token: string;\n  fetchFn: typeof globalThis.fetch;\n}\n\n/**\n * Make an authenticated HTTP request to a Clef endpoint.\n * Handles the { data, success, message } envelope and retries once on 5xx.\n */\nexport async function request<T>(baseUrl: string, opts: RequestOptions): Promise<T> {\n  const url = `${baseUrl}${opts.path}`;\n  const headers: Record<string, string> = {\n    Authorization: `Bearer ${opts.token}`,\n    Accept: \"application/json\",\n  };\n  if (opts.body !== undefined) {\n    headers[\"Content-Type\"] = \"application/json\";\n  }\n\n  const init: RequestInit = {\n    method: opts.method,\n    headers,\n    body: opts.body !== undefined ? JSON.stringify(opts.body) : undefined,\n  };\n\n  let response: Response;\n  try {\n    response = await opts.fetchFn(url, init);\n  } catch (err) {\n    // Retry once on network error\n    try {\n      response = await opts.fetchFn(url, init);\n    } catch {\n      throw new ClefClientError(\n        `Connection failed: ${(err as Error).message}`,\n        undefined,\n        \"Is the endpoint reachable? Check your CLEF_ENDPOINT setting.\",\n      );\n    }\n  }\n\n  // Retry once on 5xx\n  if (response.status >= 500) {\n    response = await opts.fetchFn(url, init);\n  }\n\n  if (response.status === 401) {\n    throw new ClefClientError(\"Authentication failed\", 401, \"Check your CLEF_SERVICE_TOKEN.\");\n  }\n\n  if (response.status === 503) {\n    throw new ClefClientError(\"Secrets expired or not loaded\", 503, \"Check the agent logs.\");\n  }\n\n  if (!response.ok) {\n    const text = await response.text().catch(() => \"\");\n    throw new ClefClientError(\n      `HTTP ${response.status}: ${text || response.statusText}`,\n      response.status,\n    );\n  }\n\n  const json = await response.json();\n\n  // Unwrap { data, success, message } envelope if present\n  if (json && typeof json === \"object\" && \"success\" in json) {\n    if (!json.success) {\n      throw new ClefClientError(json.message || \"Request failed\", response.status);\n    }\n    return json.data as T;\n  }\n\n  return json as T;\n}\n", "import { ClefClientOptions } from \"./types\";\nimport { resolveToken, resolveEndpoint } from \"./auth\";\nimport { request } from \"./http\";\n\ninterface CacheEntry {\n  secrets: Record<string, string>;\n  fetchedAt: number;\n}\n\n/**\n * Lightweight client for consuming Clef secrets from a serve endpoint.\n *\n * ```typescript\n * const secrets = new ClefClient();\n * const dbUrl = await secrets.get(\"DB_URL\");\n * ```\n */\nexport class ClefClient {\n  private readonly endpoint: string;\n  private readonly token: string;\n  private readonly envFallback: boolean;\n  private readonly cacheTtlMs: number;\n  private readonly fetchFn: typeof globalThis.fetch;\n  private cache: CacheEntry | null = null;\n\n  constructor(options?: ClefClientOptions) {\n    this.endpoint = resolveEndpoint(options?.endpoint);\n    this.token = resolveToken(options?.token);\n    this.envFallback = options?.envFallback ?? true;\n    this.cacheTtlMs = options?.cacheTtlMs ?? 0;\n    this.fetchFn = options?.fetch ?? globalThis.fetch;\n  }\n\n  /** Get a single secret by key. Falls back to env var if configured. */\n  async get(key: string): Promise<string | undefined> {\n    const all = await this.fetchSecrets();\n    const value = all[key];\n    if (value !== undefined) return value;\n\n    if (this.envFallback && typeof process !== \"undefined\") {\n      return process.env[key];\n    }\n\n    return undefined;\n  }\n\n  /** Get all secrets as a key-value map. */\n  async getAll(): Promise<Record<string, string>> {\n    return this.fetchSecrets();\n  }\n\n  /** List available key names. */\n  async keys(): Promise<string[]> {\n    const all = await this.fetchSecrets();\n    return Object.keys(all);\n  }\n\n  /** Check if the serve endpoint is reachable. */\n  async health(): Promise<boolean> {\n    try {\n      const response = await this.fetchFn(`${this.endpoint}/v1/health`);\n      return response.ok;\n    } catch {\n      return false;\n    }\n  }\n\n  private async fetchSecrets(): Promise<Record<string, string>> {\n    if (this.cacheTtlMs > 0 && this.cache) {\n      const age = Date.now() - this.cache.fetchedAt;\n      if (age < this.cacheTtlMs) {\n        return this.cache.secrets;\n      }\n    }\n\n    const secrets = await request<Record<string, string>>(this.endpoint, {\n      method: \"GET\",\n      path: \"/v1/secrets\",\n      token: this.token,\n      fetchFn: this.fetchFn,\n    });\n\n    if (this.cacheTtlMs > 0) {\n      this.cache = { secrets, fetchedAt: Date.now() };\n    }\n\n    return secrets;\n  }\n}\n"],
+  "mappings": ";AAuBO,IAAM,kBAAN,cAA8B,MAAM;AAAA,EACzC,YACE,SACgB,YACA,KAChB;AACA,UAAM,OAAO;AAHG;AACA;AAGhB,SAAK,OAAO;AAAA,EACd;AAAA,EALkB;AAAA,EACA;AAKpB;;;AC3BO,SAAS,aAAa,UAA2B;AACtD,MAAI,SAAU,QAAO;AAErB,MAAI,OAAO,YAAY,eAAe,QAAQ,KAAK,oBAAoB;AACrE,WAAO,QAAQ,IAAI;AAAA,EACrB;AAEA,QAAM,IAAI;AAAA,IACR;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAKO,SAAS,gBAAgB,UAA2B;AACzD,MAAI,SAAU,QAAO;AAErB,MAAI,OAAO,YAAY,eAAe,QAAQ,KAAK,eAAe;AAChE,WAAO,QAAQ,IAAI;AAAA,EACrB;AAEA,SAAO;AACT;;;AChBA,eAAsB,QAAW,SAAiB,MAAkC;AAClF,QAAM,MAAM,GAAG,OAAO,GAAG,KAAK,IAAI;AAClC,QAAM,UAAkC;AAAA,IACtC,eAAe,UAAU,KAAK,KAAK;AAAA,IACnC,QAAQ;AAAA,EACV;AACA,MAAI,KAAK,SAAS,QAAW;AAC3B,YAAQ,cAAc,IAAI;AAAA,EAC5B;AAEA,QAAM,OAAoB;AAAA,IACxB,QAAQ,KAAK;AAAA,IACb;AAAA,IACA,MAAM,KAAK,SAAS,SAAY,KAAK,UAAU,KAAK,IAAI,IAAI;AAAA,EAC9D;AAEA,MAAI;AACJ,MAAI;AACF,eAAW,MAAM,KAAK,QAAQ,KAAK,IAAI;AAAA,EACzC,SAAS,KAAK;AAEZ,QAAI;AACF,iBAAW,MAAM,KAAK,QAAQ,KAAK,IAAI;AAAA,IACzC,QAAQ;AACN,YAAM,IAAI;AAAA,QACR,sBAAuB,IAAc,OAAO;AAAA,QAC5C;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAGA,MAAI,SAAS,UAAU,KAAK;AAC1B,eAAW,MAAM,KAAK,QAAQ,KAAK,IAAI;AAAA,EACzC;AAEA,MAAI,SAAS,WAAW,KAAK;AAC3B,UAAM,IAAI,gBAAgB,yBAAyB,KAAK,gCAAgC;AAAA,EAC1F;AAEA,MAAI,SAAS,WAAW,KAAK;AAC3B,UAAM,IAAI,gBAAgB,iCAAiC,KAAK,uBAAuB;AAAA,EACzF;AAEA,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,OAAO,MAAM,SAAS,KAAK,EAAE,MAAM,MAAM,EAAE;AACjD,UAAM,IAAI;AAAA,MACR,QAAQ,SAAS,MAAM,KAAK,QAAQ,SAAS,UAAU;AAAA,MACvD,SAAS;AAAA,IACX;AAAA,EACF;AAEA,QAAM,OAAO,MAAM,SAAS,KAAK;AAGjC,MAAI,QAAQ,OAAO,SAAS,YAAY,aAAa,MAAM;AACzD,QAAI,CAAC,KAAK,SAAS;AACjB,YAAM,IAAI,gBAAgB,KAAK,WAAW,kBAAkB,SAAS,MAAM;AAAA,IAC7E;AACA,WAAO,KAAK;AAAA,EACd;AAEA,SAAO;AACT;;;AC7DO,IAAM,aAAN,MAAiB;AAAA,EACL;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACT,QAA2B;AAAA,EAEnC,YAAY,SAA6B;AACvC,SAAK,WAAW,gBAAgB,SAAS,QAAQ;AACjD,SAAK,QAAQ,aAAa,SAAS,KAAK;AACxC,SAAK,cAAc,SAAS,eAAe;AAC3C,SAAK,aAAa,SAAS,cAAc;AACzC,SAAK,UAAU,SAAS,SAAS,WAAW;AAAA,EAC9C;AAAA;AAAA,EAGA,MAAM,IAAI,KAA0C;AAClD,UAAM,MAAM,MAAM,KAAK,aAAa;AACpC,UAAM,QAAQ,IAAI,GAAG;AACrB,QAAI,UAAU,OAAW,QAAO;AAEhC,QAAI,KAAK,eAAe,OAAO,YAAY,aAAa;AACtD,aAAO,QAAQ,IAAI,GAAG;AAAA,IACxB;AAEA,WAAO;AAAA,EACT;AAAA;AAAA,EAGA,MAAM,SAA0C;AAC9C,WAAO,KAAK,aAAa;AAAA,EAC3B;AAAA;AAAA,EAGA,MAAM,OAA0B;AAC9B,UAAM,MAAM,MAAM,KAAK,aAAa;AACpC,WAAO,OAAO,KAAK,GAAG;AAAA,EACxB;AAAA;AAAA,EAGA,MAAM,SAA2B;AAC/B,QAAI;AACF,YAAM,WAAW,MAAM,KAAK,QAAQ,GAAG,KAAK,QAAQ,YAAY;AAChE,aAAO,SAAS;AAAA,IAClB,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAc,eAAgD;AAC5D,QAAI,KAAK,aAAa,KAAK,KAAK,OAAO;AACrC,YAAM,MAAM,KAAK,IAAI,IAAI,KAAK,MAAM;AACpC,UAAI,MAAM,KAAK,YAAY;AACzB,eAAO,KAAK,MAAM;AAAA,MACpB;AAAA,IACF;AAEA,UAAM,UAAU,MAAM,QAAgC,KAAK,UAAU;AAAA,MACnE,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,OAAO,KAAK;AAAA,MACZ,SAAS,KAAK;AAAA,IAChB,CAAC;AAED,QAAI,KAAK,aAAa,GAAG;AACvB,WAAK,QAAQ,EAAE,SAAS,WAAW,KAAK,IAAI,EAAE;AAAA,IAChD;AAEA,WAAO;AAAA,EACT;AACF;",
+  "names": []
+}

package/dist/kms.d.mts

@@ -0,0 +1,4 @@
+export { CloudKmsProvider } from "./cloud-kms-provider";
+export { ClefClientError } from "./types";
+export type { CloudKmsProviderOptions } from "./types";
+//# sourceMappingURL=kms.d.ts.map

package/dist/kms.d.ts

@@ -0,0 +1,4 @@
+export { CloudKmsProvider } from "./cloud-kms-provider";
+export { ClefClientError } from "./types";
+export type { CloudKmsProviderOptions } from "./types";
+//# sourceMappingURL=kms.d.ts.map

package/dist/kms.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kms.d.ts","sourceRoot":"","sources":["../src/kms.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAC1C,YAAY,EAAE,uBAAuB,EAAE,MAAM,SAAS,CAAC"}

package/dist/kms.js

@@ -0,0 +1,140 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/kms.ts
+var kms_exports = {};
+__export(kms_exports, {
+  ClefClientError: () => ClefClientError,
+  CloudKmsProvider: () => CloudKmsProvider
+});
+module.exports = __toCommonJS(kms_exports);
+
+// src/types.ts
+var ClefClientError = class extends Error {
+  constructor(message, statusCode, fix) {
+    super(message);
+    this.statusCode = statusCode;
+    this.fix = fix;
+    this.name = "ClefClientError";
+  }
+  statusCode;
+  fix;
+};
+
+// src/auth.ts
+function resolveToken(explicit) {
+  if (explicit) return explicit;
+  if (typeof process !== "undefined" && process.env?.CLEF_SERVICE_TOKEN) {
+    return process.env.CLEF_SERVICE_TOKEN;
+  }
+  throw new ClefClientError(
+    "No service token configured",
+    void 0,
+    "Set CLEF_SERVICE_TOKEN or pass token in options."
+  );
+}
+
+// src/http.ts
+async function request(baseUrl, opts) {
+  const url = `${baseUrl}${opts.path}`;
+  const headers = {
+    Authorization: `Bearer ${opts.token}`,
+    Accept: "application/json"
+  };
+  if (opts.body !== void 0) {
+    headers["Content-Type"] = "application/json";
+  }
+  const init = {
+    method: opts.method,
+    headers,
+    body: opts.body !== void 0 ? JSON.stringify(opts.body) : void 0
+  };
+  let response;
+  try {
+    response = await opts.fetchFn(url, init);
+  } catch (err) {
+    try {
+      response = await opts.fetchFn(url, init);
+    } catch {
+      throw new ClefClientError(
+        `Connection failed: ${err.message}`,
+        void 0,
+        "Is the endpoint reachable? Check your CLEF_ENDPOINT setting."
+      );
+    }
+  }
+  if (response.status >= 500) {
+    response = await opts.fetchFn(url, init);
+  }
+  if (response.status === 401) {
+    throw new ClefClientError("Authentication failed", 401, "Check your CLEF_SERVICE_TOKEN.");
+  }
+  if (response.status === 503) {
+    throw new ClefClientError("Secrets expired or not loaded", 503, "Check the agent logs.");
+  }
+  if (!response.ok) {
+    const text = await response.text().catch(() => "");
+    throw new ClefClientError(
+      `HTTP ${response.status}: ${text || response.statusText}`,
+      response.status
+    );
+  }
+  const json = await response.json();
+  if (json && typeof json === "object" && "success" in json) {
+    if (!json.success) {
+      throw new ClefClientError(json.message || "Request failed", response.status);
+    }
+    return json.data;
+  }
+  return json;
+}
+
+// src/cloud-kms-provider.ts
+var CloudKmsProvider = class {
+  endpoint;
+  token;
+  constructor(options) {
+    this.endpoint = options.endpoint;
+    this.token = resolveToken(options.token);
+  }
+  async wrap(_keyId, _plaintext) {
+    throw new ClefClientError(
+      "CloudKmsProvider.wrap() is not supported. Use the keyservice sidecar for encryption."
+    );
+  }
+  async unwrap(keyId, wrappedKey, _algorithm) {
+    const result = await request(this.endpoint, {
+      method: "POST",
+      path: "/api/v1/cloud/kms/decrypt",
+      body: {
+        keyArn: keyId,
+        ciphertext: wrappedKey.toString("base64")
+      },
+      token: this.token,
+      fetchFn: globalThis.fetch
+    });
+    return Buffer.from(result.plaintext, "base64");
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ClefClientError,
+  CloudKmsProvider
+});
+//# sourceMappingURL=kms.js.map

package/dist/kms.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/kms.ts", "../src/types.ts", "../src/auth.ts", "../src/http.ts", "../src/cloud-kms-provider.ts"],
+  "sourcesContent": ["export { CloudKmsProvider } from \"./cloud-kms-provider\";\nexport { ClefClientError } from \"./types\";\nexport type { CloudKmsProviderOptions } from \"./types\";\n", "/** Configuration for the ClefClient app SDK. */\nexport interface ClefClientOptions {\n  /** Base URL of the clef serve endpoint. Default: http://127.0.0.1:7779 */\n  endpoint?: string;\n  /** Bearer token for authentication. Falls back to CLEF_SERVICE_TOKEN env var. */\n  token?: string;\n  /** Fall back to process.env when a key is not found. Default: true */\n  envFallback?: boolean;\n  /** In-memory cache TTL in milliseconds. 0 = no caching. Default: 0 */\n  cacheTtlMs?: number;\n  /** Custom fetch implementation (for testing or edge runtimes). */\n  fetch?: typeof globalThis.fetch;\n}\n\n/** Configuration for the Cloud KMS provider. */\nexport interface CloudKmsProviderOptions {\n  /** Clef Cloud API endpoint. Falls back to CLEF_ENDPOINT env var. */\n  endpoint: string;\n  /** Bearer token for Cloud API auth. Falls back to CLEF_SERVICE_TOKEN env var. */\n  token?: string;\n}\n\n/** Error thrown by ClefClient and CloudKmsProvider. */\nexport class ClefClientError extends Error {\n  constructor(\n    message: string,\n    public readonly statusCode?: number,\n    public readonly fix?: string,\n  ) {\n    super(message);\n    this.name = \"ClefClientError\";\n  }\n}\n", "import { ClefClientError } from \"./types\";\n\n/**\n * Resolve a service token from an explicit value or CLEF_SERVICE_TOKEN env var.\n */\nexport function resolveToken(explicit?: string): string {\n  if (explicit) return explicit;\n\n  if (typeof process !== \"undefined\" && process.env?.CLEF_SERVICE_TOKEN) {\n    return process.env.CLEF_SERVICE_TOKEN;\n  }\n\n  throw new ClefClientError(\n    \"No service token configured\",\n    undefined,\n    \"Set CLEF_SERVICE_TOKEN or pass token in options.\",\n  );\n}\n\n/**\n * Resolve the serve endpoint from an explicit value or CLEF_ENDPOINT env var.\n */\nexport function resolveEndpoint(explicit?: string): string {\n  if (explicit) return explicit;\n\n  if (typeof process !== \"undefined\" && process.env?.CLEF_ENDPOINT) {\n    return process.env.CLEF_ENDPOINT;\n  }\n\n  return \"http://127.0.0.1:7779\";\n}\n", "import { ClefClientError } from \"./types\";\n\ninterface RequestOptions {\n  method: \"GET\" | \"POST\";\n  path: string;\n  body?: unknown;\n  token: string;\n  fetchFn: typeof globalThis.fetch;\n}\n\n/**\n * Make an authenticated HTTP request to a Clef endpoint.\n * Handles the { data, success, message } envelope and retries once on 5xx.\n */\nexport async function request<T>(baseUrl: string, opts: RequestOptions): Promise<T> {\n  const url = `${baseUrl}${opts.path}`;\n  const headers: Record<string, string> = {\n    Authorization: `Bearer ${opts.token}`,\n    Accept: \"application/json\",\n  };\n  if (opts.body !== undefined) {\n    headers[\"Content-Type\"] = \"application/json\";\n  }\n\n  const init: RequestInit = {\n    method: opts.method,\n    headers,\n    body: opts.body !== undefined ? JSON.stringify(opts.body) : undefined,\n  };\n\n  let response: Response;\n  try {\n    response = await opts.fetchFn(url, init);\n  } catch (err) {\n    // Retry once on network error\n    try {\n      response = await opts.fetchFn(url, init);\n    } catch {\n      throw new ClefClientError(\n        `Connection failed: ${(err as Error).message}`,\n        undefined,\n        \"Is the endpoint reachable? Check your CLEF_ENDPOINT setting.\",\n      );\n    }\n  }\n\n  // Retry once on 5xx\n  if (response.status >= 500) {\n    response = await opts.fetchFn(url, init);\n  }\n\n  if (response.status === 401) {\n    throw new ClefClientError(\"Authentication failed\", 401, \"Check your CLEF_SERVICE_TOKEN.\");\n  }\n\n  if (response.status === 503) {\n    throw new ClefClientError(\"Secrets expired or not loaded\", 503, \"Check the agent logs.\");\n  }\n\n  if (!response.ok) {\n    const text = await response.text().catch(() => \"\");\n    throw new ClefClientError(\n      `HTTP ${response.status}: ${text || response.statusText}`,\n      response.status,\n    );\n  }\n\n  const json = await response.json();\n\n  // Unwrap { data, success, message } envelope if present\n  if (json && typeof json === \"object\" && \"success\" in json) {\n    if (!json.success) {\n      throw new ClefClientError(json.message || \"Request failed\", response.status);\n    }\n    return json.data as T;\n  }\n\n  return json as T;\n}\n", "import { CloudKmsProviderOptions, ClefClientError } from \"./types\";\nimport { resolveToken } from \"./auth\";\nimport { request } from \"./http\";\n\n/**\n * Clef Cloud KMS provider.\n *\n * Implements the KmsProvider interface (structurally \u2014 no import needed)\n * for use with @clef-sh/runtime's createKmsProvider factory.\n *\n * Only `unwrap()` is supported. Encryption (wrap) is handled by the\n * keyservice sidecar during `clef pack`.\n */\nexport class CloudKmsProvider {\n  private readonly endpoint: string;\n  private readonly token: string;\n\n  constructor(options: CloudKmsProviderOptions) {\n    this.endpoint = options.endpoint;\n    this.token = resolveToken(options.token);\n  }\n\n  async wrap(\n    _keyId: string,\n    _plaintext: Buffer,\n  ): Promise<{ wrappedKey: Buffer; algorithm: string }> {\n    throw new ClefClientError(\n      \"CloudKmsProvider.wrap() is not supported. Use the keyservice sidecar for encryption.\",\n    );\n  }\n\n  async unwrap(keyId: string, wrappedKey: Buffer, _algorithm: string): Promise<Buffer> {\n    const result = await request<{ plaintext: string }>(this.endpoint, {\n      method: \"POST\",\n      path: \"/api/v1/cloud/kms/decrypt\",\n      body: {\n        keyArn: keyId,\n        ciphertext: wrappedKey.toString(\"base64\"),\n      },\n      token: this.token,\n      fetchFn: globalThis.fetch,\n    });\n\n    return Buffer.from(result.plaintext, \"base64\");\n  }\n}\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACuBO,IAAM,kBAAN,cAA8B,MAAM;AAAA,EACzC,YACE,SACgB,YACA,KAChB;AACA,UAAM,OAAO;AAHG;AACA;AAGhB,SAAK,OAAO;AAAA,EACd;AAAA,EALkB;AAAA,EACA;AAKpB;;;AC3BO,SAAS,aAAa,UAA2B;AACtD,MAAI,SAAU,QAAO;AAErB,MAAI,OAAO,YAAY,eAAe,QAAQ,KAAK,oBAAoB;AACrE,WAAO,QAAQ,IAAI;AAAA,EACrB;AAEA,QAAM,IAAI;AAAA,IACR;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;;;ACHA,eAAsB,QAAW,SAAiB,MAAkC;AAClF,QAAM,MAAM,GAAG,OAAO,GAAG,KAAK,IAAI;AAClC,QAAM,UAAkC;AAAA,IACtC,eAAe,UAAU,KAAK,KAAK;AAAA,IACnC,QAAQ;AAAA,EACV;AACA,MAAI,KAAK,SAAS,QAAW;AAC3B,YAAQ,cAAc,IAAI;AAAA,EAC5B;AAEA,QAAM,OAAoB;AAAA,IACxB,QAAQ,KAAK;AAAA,IACb;AAAA,IACA,MAAM,KAAK,SAAS,SAAY,KAAK,UAAU,KAAK,IAAI,IAAI;AAAA,EAC9D;AAEA,MAAI;AACJ,MAAI;AACF,eAAW,MAAM,KAAK,QAAQ,KAAK,IAAI;AAAA,EACzC,SAAS,KAAK;AAEZ,QAAI;AACF,iBAAW,MAAM,KAAK,QAAQ,KAAK,IAAI;AAAA,IACzC,QAAQ;AACN,YAAM,IAAI;AAAA,QACR,sBAAuB,IAAc,OAAO;AAAA,QAC5C;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAGA,MAAI,SAAS,UAAU,KAAK;AAC1B,eAAW,MAAM,KAAK,QAAQ,KAAK,IAAI;AAAA,EACzC;AAEA,MAAI,SAAS,WAAW,KAAK;AAC3B,UAAM,IAAI,gBAAgB,yBAAyB,KAAK,gCAAgC;AAAA,EAC1F;AAEA,MAAI,SAAS,WAAW,KAAK;AAC3B,UAAM,IAAI,gBAAgB,iCAAiC,KAAK,uBAAuB;AAAA,EACzF;AAEA,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,OAAO,MAAM,SAAS,KAAK,EAAE,MAAM,MAAM,EAAE;AACjD,UAAM,IAAI;AAAA,MACR,QAAQ,SAAS,MAAM,KAAK,QAAQ,SAAS,UAAU;AAAA,MACvD,SAAS;AAAA,IACX;AAAA,EACF;AAEA,QAAM,OAAO,MAAM,SAAS,KAAK;AAGjC,MAAI,QAAQ,OAAO,SAAS,YAAY,aAAa,MAAM;AACzD,QAAI,CAAC,KAAK,SAAS;AACjB,YAAM,IAAI,gBAAgB,KAAK,WAAW,kBAAkB,SAAS,MAAM;AAAA,IAC7E;AACA,WAAO,KAAK;AAAA,EACd;AAEA,SAAO;AACT;;;ACjEO,IAAM,mBAAN,MAAuB;AAAA,EACX;AAAA,EACA;AAAA,EAEjB,YAAY,SAAkC;AAC5C,SAAK,WAAW,QAAQ;AACxB,SAAK,QAAQ,aAAa,QAAQ,KAAK;AAAA,EACzC;AAAA,EAEA,MAAM,KACJ,QACA,YACoD;AACpD,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,OAAO,OAAe,YAAoB,YAAqC;AACnF,UAAM,SAAS,MAAM,QAA+B,KAAK,UAAU;AAAA,MACjE,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,MAAM;AAAA,QACJ,QAAQ;AAAA,QACR,YAAY,WAAW,SAAS,QAAQ;AAAA,MAC1C;AAAA,MACA,OAAO,KAAK;AAAA,MACZ,SAAS,WAAW;AAAA,IACtB,CAAC;AAED,WAAO,OAAO,KAAK,OAAO,WAAW,QAAQ;AAAA,EAC/C;AACF;",
+  "names": []
+}

package/dist/kms.mjs

@@ -0,0 +1,112 @@
+// src/types.ts
+var ClefClientError = class extends Error {
+  constructor(message, statusCode, fix) {
+    super(message);
+    this.statusCode = statusCode;
+    this.fix = fix;
+    this.name = "ClefClientError";
+  }
+  statusCode;
+  fix;
+};
+
+// src/auth.ts
+function resolveToken(explicit) {
+  if (explicit) return explicit;
+  if (typeof process !== "undefined" && process.env?.CLEF_SERVICE_TOKEN) {
+    return process.env.CLEF_SERVICE_TOKEN;
+  }
+  throw new ClefClientError(
+    "No service token configured",
+    void 0,
+    "Set CLEF_SERVICE_TOKEN or pass token in options."
+  );
+}
+
+// src/http.ts
+async function request(baseUrl, opts) {
+  const url = `${baseUrl}${opts.path}`;
+  const headers = {
+    Authorization: `Bearer ${opts.token}`,
+    Accept: "application/json"
+  };
+  if (opts.body !== void 0) {
+    headers["Content-Type"] = "application/json";
+  }
+  const init = {
+    method: opts.method,
+    headers,
+    body: opts.body !== void 0 ? JSON.stringify(opts.body) : void 0
+  };
+  let response;
+  try {
+    response = await opts.fetchFn(url, init);
+  } catch (err) {
+    try {
+      response = await opts.fetchFn(url, init);
+    } catch {
+      throw new ClefClientError(
+        `Connection failed: ${err.message}`,
+        void 0,
+        "Is the endpoint reachable? Check your CLEF_ENDPOINT setting."
+      );
+    }
+  }
+  if (response.status >= 500) {
+    response = await opts.fetchFn(url, init);
+  }
+  if (response.status === 401) {
+    throw new ClefClientError("Authentication failed", 401, "Check your CLEF_SERVICE_TOKEN.");
+  }
+  if (response.status === 503) {
+    throw new ClefClientError("Secrets expired or not loaded", 503, "Check the agent logs.");
+  }
+  if (!response.ok) {
+    const text = await response.text().catch(() => "");
+    throw new ClefClientError(
+      `HTTP ${response.status}: ${text || response.statusText}`,
+      response.status
+    );
+  }
+  const json = await response.json();
+  if (json && typeof json === "object" && "success" in json) {
+    if (!json.success) {
+      throw new ClefClientError(json.message || "Request failed", response.status);
+    }
+    return json.data;
+  }
+  return json;
+}
+
+// src/cloud-kms-provider.ts
+var CloudKmsProvider = class {
+  endpoint;
+  token;
+  constructor(options) {
+    this.endpoint = options.endpoint;
+    this.token = resolveToken(options.token);
+  }
+  async wrap(_keyId, _plaintext) {
+    throw new ClefClientError(
+      "CloudKmsProvider.wrap() is not supported. Use the keyservice sidecar for encryption."
+    );
+  }
+  async unwrap(keyId, wrappedKey, _algorithm) {
+    const result = await request(this.endpoint, {
+      method: "POST",
+      path: "/api/v1/cloud/kms/decrypt",
+      body: {
+        keyArn: keyId,
+        ciphertext: wrappedKey.toString("base64")
+      },
+      token: this.token,
+      fetchFn: globalThis.fetch
+    });
+    return Buffer.from(result.plaintext, "base64");
+  }
+};
+export {
+  ClefClientError,
+  CloudKmsProvider
+};
+//# sourceMappingURL=kms.mjs.map

package/dist/kms.mjs.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/types.ts", "../src/auth.ts", "../src/http.ts", "../src/cloud-kms-provider.ts"],
+  "sourcesContent": ["/** Configuration for the ClefClient app SDK. */\nexport interface ClefClientOptions {\n  /** Base URL of the clef serve endpoint. Default: http://127.0.0.1:7779 */\n  endpoint?: string;\n  /** Bearer token for authentication. Falls back to CLEF_SERVICE_TOKEN env var. */\n  token?: string;\n  /** Fall back to process.env when a key is not found. Default: true */\n  envFallback?: boolean;\n  /** In-memory cache TTL in milliseconds. 0 = no caching. Default: 0 */\n  cacheTtlMs?: number;\n  /** Custom fetch implementation (for testing or edge runtimes). */\n  fetch?: typeof globalThis.fetch;\n}\n\n/** Configuration for the Cloud KMS provider. */\nexport interface CloudKmsProviderOptions {\n  /** Clef Cloud API endpoint. Falls back to CLEF_ENDPOINT env var. */\n  endpoint: string;\n  /** Bearer token for Cloud API auth. Falls back to CLEF_SERVICE_TOKEN env var. */\n  token?: string;\n}\n\n/** Error thrown by ClefClient and CloudKmsProvider. */\nexport class ClefClientError extends Error {\n  constructor(\n    message: string,\n    public readonly statusCode?: number,\n    public readonly fix?: string,\n  ) {\n    super(message);\n    this.name = \"ClefClientError\";\n  }\n}\n", "import { ClefClientError } from \"./types\";\n\n/**\n * Resolve a service token from an explicit value or CLEF_SERVICE_TOKEN env var.\n */\nexport function resolveToken(explicit?: string): string {\n  if (explicit) return explicit;\n\n  if (typeof process !== \"undefined\" && process.env?.CLEF_SERVICE_TOKEN) {\n    return process.env.CLEF_SERVICE_TOKEN;\n  }\n\n  throw new ClefClientError(\n    \"No service token configured\",\n    undefined,\n    \"Set CLEF_SERVICE_TOKEN or pass token in options.\",\n  );\n}\n\n/**\n * Resolve the serve endpoint from an explicit value or CLEF_ENDPOINT env var.\n */\nexport function resolveEndpoint(explicit?: string): string {\n  if (explicit) return explicit;\n\n  if (typeof process !== \"undefined\" && process.env?.CLEF_ENDPOINT) {\n    return process.env.CLEF_ENDPOINT;\n  }\n\n  return \"http://127.0.0.1:7779\";\n}\n", "import { ClefClientError } from \"./types\";\n\ninterface RequestOptions {\n  method: \"GET\" | \"POST\";\n  path: string;\n  body?: unknown;\n  token: string;\n  fetchFn: typeof globalThis.fetch;\n}\n\n/**\n * Make an authenticated HTTP request to a Clef endpoint.\n * Handles the { data, success, message } envelope and retries once on 5xx.\n */\nexport async function request<T>(baseUrl: string, opts: RequestOptions): Promise<T> {\n  const url = `${baseUrl}${opts.path}`;\n  const headers: Record<string, string> = {\n    Authorization: `Bearer ${opts.token}`,\n    Accept: \"application/json\",\n  };\n  if (opts.body !== undefined) {\n    headers[\"Content-Type\"] = \"application/json\";\n  }\n\n  const init: RequestInit = {\n    method: opts.method,\n    headers,\n    body: opts.body !== undefined ? JSON.stringify(opts.body) : undefined,\n  };\n\n  let response: Response;\n  try {\n    response = await opts.fetchFn(url, init);\n  } catch (err) {\n    // Retry once on network error\n    try {\n      response = await opts.fetchFn(url, init);\n    } catch {\n      throw new ClefClientError(\n        `Connection failed: ${(err as Error).message}`,\n        undefined,\n        \"Is the endpoint reachable? Check your CLEF_ENDPOINT setting.\",\n      );\n    }\n  }\n\n  // Retry once on 5xx\n  if (response.status >= 500) {\n    response = await opts.fetchFn(url, init);\n  }\n\n  if (response.status === 401) {\n    throw new ClefClientError(\"Authentication failed\", 401, \"Check your CLEF_SERVICE_TOKEN.\");\n  }\n\n  if (response.status === 503) {\n    throw new ClefClientError(\"Secrets expired or not loaded\", 503, \"Check the agent logs.\");\n  }\n\n  if (!response.ok) {\n    const text = await response.text().catch(() => \"\");\n    throw new ClefClientError(\n      `HTTP ${response.status}: ${text || response.statusText}`,\n      response.status,\n    );\n  }\n\n  const json = await response.json();\n\n  // Unwrap { data, success, message } envelope if present\n  if (json && typeof json === \"object\" && \"success\" in json) {\n    if (!json.success) {\n      throw new ClefClientError(json.message || \"Request failed\", response.status);\n    }\n    return json.data as T;\n  }\n\n  return json as T;\n}\n", "import { CloudKmsProviderOptions, ClefClientError } from \"./types\";\nimport { resolveToken } from \"./auth\";\nimport { request } from \"./http\";\n\n/**\n * Clef Cloud KMS provider.\n *\n * Implements the KmsProvider interface (structurally \u2014 no import needed)\n * for use with @clef-sh/runtime's createKmsProvider factory.\n *\n * Only `unwrap()` is supported. Encryption (wrap) is handled by the\n * keyservice sidecar during `clef pack`.\n */\nexport class CloudKmsProvider {\n  private readonly endpoint: string;\n  private readonly token: string;\n\n  constructor(options: CloudKmsProviderOptions) {\n    this.endpoint = options.endpoint;\n    this.token = resolveToken(options.token);\n  }\n\n  async wrap(\n    _keyId: string,\n    _plaintext: Buffer,\n  ): Promise<{ wrappedKey: Buffer; algorithm: string }> {\n    throw new ClefClientError(\n      \"CloudKmsProvider.wrap() is not supported. Use the keyservice sidecar for encryption.\",\n    );\n  }\n\n  async unwrap(keyId: string, wrappedKey: Buffer, _algorithm: string): Promise<Buffer> {\n    const result = await request<{ plaintext: string }>(this.endpoint, {\n      method: \"POST\",\n      path: \"/api/v1/cloud/kms/decrypt\",\n      body: {\n        keyArn: keyId,\n        ciphertext: wrappedKey.toString(\"base64\"),\n      },\n      token: this.token,\n      fetchFn: globalThis.fetch,\n    });\n\n    return Buffer.from(result.plaintext, \"base64\");\n  }\n}\n"],
+  "mappings": ";AAuBO,IAAM,kBAAN,cAA8B,MAAM;AAAA,EACzC,YACE,SACgB,YACA,KAChB;AACA,UAAM,OAAO;AAHG;AACA;AAGhB,SAAK,OAAO;AAAA,EACd;AAAA,EALkB;AAAA,EACA;AAKpB;;;AC3BO,SAAS,aAAa,UAA2B;AACtD,MAAI,SAAU,QAAO;AAErB,MAAI,OAAO,YAAY,eAAe,QAAQ,KAAK,oBAAoB;AACrE,WAAO,QAAQ,IAAI;AAAA,EACrB;AAEA,QAAM,IAAI;AAAA,IACR;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;;;ACHA,eAAsB,QAAW,SAAiB,MAAkC;AAClF,QAAM,MAAM,GAAG,OAAO,GAAG,KAAK,IAAI;AAClC,QAAM,UAAkC;AAAA,IACtC,eAAe,UAAU,KAAK,KAAK;AAAA,IACnC,QAAQ;AAAA,EACV;AACA,MAAI,KAAK,SAAS,QAAW;AAC3B,YAAQ,cAAc,IAAI;AAAA,EAC5B;AAEA,QAAM,OAAoB;AAAA,IACxB,QAAQ,KAAK;AAAA,IACb;AAAA,IACA,MAAM,KAAK,SAAS,SAAY,KAAK,UAAU,KAAK,IAAI,IAAI;AAAA,EAC9D;AAEA,MAAI;AACJ,MAAI;AACF,eAAW,MAAM,KAAK,QAAQ,KAAK,IAAI;AAAA,EACzC,SAAS,KAAK;AAEZ,QAAI;AACF,iBAAW,MAAM,KAAK,QAAQ,KAAK,IAAI;AAAA,IACzC,QAAQ;AACN,YAAM,IAAI;AAAA,QACR,sBAAuB,IAAc,OAAO;AAAA,QAC5C;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAGA,MAAI,SAAS,UAAU,KAAK;AAC1B,eAAW,MAAM,KAAK,QAAQ,KAAK,IAAI;AAAA,EACzC;AAEA,MAAI,SAAS,WAAW,KAAK;AAC3B,UAAM,IAAI,gBAAgB,yBAAyB,KAAK,gCAAgC;AAAA,EAC1F;AAEA,MAAI,SAAS,WAAW,KAAK;AAC3B,UAAM,IAAI,gBAAgB,iCAAiC,KAAK,uBAAuB;AAAA,EACzF;AAEA,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,OAAO,MAAM,SAAS,KAAK,EAAE,MAAM,MAAM,EAAE;AACjD,UAAM,IAAI;AAAA,MACR,QAAQ,SAAS,MAAM,KAAK,QAAQ,SAAS,UAAU;AAAA,MACvD,SAAS;AAAA,IACX;AAAA,EACF;AAEA,QAAM,OAAO,MAAM,SAAS,KAAK;AAGjC,MAAI,QAAQ,OAAO,SAAS,YAAY,aAAa,MAAM;AACzD,QAAI,CAAC,KAAK,SAAS;AACjB,YAAM,IAAI,gBAAgB,KAAK,WAAW,kBAAkB,SAAS,MAAM;AAAA,IAC7E;AACA,WAAO,KAAK;AAAA,EACd;AAEA,SAAO;AACT;;;ACjEO,IAAM,mBAAN,MAAuB;AAAA,EACX;AAAA,EACA;AAAA,EAEjB,YAAY,SAAkC;AAC5C,SAAK,WAAW,QAAQ;AACxB,SAAK,QAAQ,aAAa,QAAQ,KAAK;AAAA,EACzC;AAAA,EAEA,MAAM,KACJ,QACA,YACoD;AACpD,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,OAAO,OAAe,YAAoB,YAAqC;AACnF,UAAM,SAAS,MAAM,QAA+B,KAAK,UAAU;AAAA,MACjE,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,MAAM;AAAA,QACJ,QAAQ;AAAA,QACR,YAAY,WAAW,SAAS,QAAQ;AAAA,MAC1C;AAAA,MACA,OAAO,KAAK;AAAA,MACZ,SAAS,WAAW;AAAA,IACtB,CAAC;AAED,WAAO,OAAO,KAAK,OAAO,WAAW,QAAQ;AAAA,EAC/C;AACF;",
+  "names": []
+}

package/dist/types.d.ts

@@ -0,0 +1,27 @@
+/** Configuration for the ClefClient app SDK. */
+export interface ClefClientOptions {
+    /** Base URL of the clef serve endpoint. Default: http://127.0.0.1:7779 */
+    endpoint?: string;
+    /** Bearer token for authentication. Falls back to CLEF_SERVICE_TOKEN env var. */
+    token?: string;
+    /** Fall back to process.env when a key is not found. Default: true */
+    envFallback?: boolean;
+    /** In-memory cache TTL in milliseconds. 0 = no caching. Default: 0 */
+    cacheTtlMs?: number;
+    /** Custom fetch implementation (for testing or edge runtimes). */
+    fetch?: typeof globalThis.fetch;
+}
+/** Configuration for the Cloud KMS provider. */
+export interface CloudKmsProviderOptions {
+    /** Clef Cloud API endpoint. Falls back to CLEF_ENDPOINT env var. */
+    endpoint: string;
+    /** Bearer token for Cloud API auth. Falls back to CLEF_SERVICE_TOKEN env var. */
+    token?: string;
+}
+/** Error thrown by ClefClient and CloudKmsProvider. */
+export declare class ClefClientError extends Error {
+    readonly statusCode?: number | undefined;
+    readonly fix?: string | undefined;
+    constructor(message: string, statusCode?: number | undefined, fix?: string | undefined);
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,gDAAgD;AAChD,MAAM,WAAW,iBAAiB;IAChC,0EAA0E;IAC1E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,iFAAiF;IACjF,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,sEAAsE;IACtE,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,sEAAsE;IACtE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,kEAAkE;IAClE,KAAK,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAC;CACjC;AAED,gDAAgD;AAChD,MAAM,WAAW,uBAAuB;IACtC,oEAAoE;IACpE,QAAQ,EAAE,MAAM,CAAC;IACjB,iFAAiF;IACjF,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,uDAAuD;AACvD,qBAAa,eAAgB,SAAQ,KAAK;aAGtB,UAAU,CAAC,EAAE,MAAM;aACnB,GAAG,CAAC,EAAE,MAAM;gBAF5B,OAAO,EAAE,MAAM,EACC,UAAU,CAAC,EAAE,MAAM,YAAA,EACnB,GAAG,CAAC,EAAE,MAAM,YAAA;CAK/B"}

package/package.json

@@ -0,0 +1,64 @@
+{
+  "name": "@clef-sh/client",
+  "version": "0.1.2-beta.92",
+  "description": "Lightweight SDK for consuming Clef secrets — Cloud KMS provider and app client",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/clef-sh/clef",
+    "directory": "packages/client"
+  },
+  "main": "dist/index.js",
+  "module": "dist/index.mjs",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.mts",
+        "default": "./dist/index.mjs"
+      },
+      "require": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      }
+    },
+    "./kms": {
+      "import": {
+        "types": "./dist/kms.d.mts",
+        "default": "./dist/kms.mjs"
+      },
+      "require": {
+        "types": "./dist/kms.d.ts",
+        "default": "./dist/kms.js"
+      }
+    },
+    "./package.json": "./package.json"
+  },
+  "typesVersions": {
+    "*": {
+      "kms": [
+        "dist/kms.d.ts"
+      ]
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc --noEmit && node scripts/build.mjs",
+    "test": "jest",
+    "test:coverage": "jest --coverage"
+  },
+  "devDependencies": {
+    "@types/jest": "^29.5.0",
+    "@types/node": "^20.11.0",
+    "esbuild": "^0.27.4",
+    "jest": "^29.7.0",
+    "ts-jest": "^29.1.0",
+    "typescript": "^5.9.3"
+  },
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
+  "license": "MIT"
+}