@clef-sh/cloud 0.1.18-beta.85

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (39) hide show
  1. package/dist/bundled.d.ts +6 -0
  2. package/dist/bundled.d.ts.map +1 -0
  3. package/dist/cli.d.mts +9 -0
  4. package/dist/cli.d.ts +9 -0
  5. package/dist/cli.d.ts.map +1 -0
  6. package/dist/cli.js +604 -0
  7. package/dist/cli.js.map +7 -0
  8. package/dist/cli.mjs +579 -0
  9. package/dist/cli.mjs.map +7 -0
  10. package/dist/commands/cloud.d.ts +20 -0
  11. package/dist/commands/cloud.d.ts.map +1 -0
  12. package/dist/constants.d.ts +2 -0
  13. package/dist/constants.d.ts.map +1 -0
  14. package/dist/credentials.d.ts +13 -0
  15. package/dist/credentials.d.ts.map +1 -0
  16. package/dist/device-flow.d.ts +46 -0
  17. package/dist/device-flow.d.ts.map +1 -0
  18. package/dist/index.d.mts +28 -0
  19. package/dist/index.d.ts +28 -0
  20. package/dist/index.d.ts.map +1 -0
  21. package/dist/index.js +522 -0
  22. package/dist/index.js.map +7 -0
  23. package/dist/index.mjs +478 -0
  24. package/dist/index.mjs.map +7 -0
  25. package/dist/keyservice.d.ts +20 -0
  26. package/dist/keyservice.d.ts.map +1 -0
  27. package/dist/pack-client.d.ts +34 -0
  28. package/dist/pack-client.d.ts.map +1 -0
  29. package/dist/report-client.d.ts +18 -0
  30. package/dist/report-client.d.ts.map +1 -0
  31. package/dist/resolver.d.ts +24 -0
  32. package/dist/resolver.d.ts.map +1 -0
  33. package/dist/sops.d.ts +36 -0
  34. package/dist/sops.d.ts.map +1 -0
  35. package/dist/token-refresh.d.ts +27 -0
  36. package/dist/token-refresh.d.ts.map +1 -0
  37. package/dist/types.d.ts +96 -0
  38. package/dist/types.d.ts.map +1 -0
  39. package/package.json +95 -0
package/dist/cli.js.map ADDED
@@ -0,0 +1,7 @@
1
+ {
2
+ "version": 3,
3
+ "sources": ["../src/cli.ts", "../src/commands/cloud.ts", "../src/keyservice.ts", "../src/resolver.ts", "../src/bundled.ts", "../src/credentials.ts", "../src/constants.ts", "../src/device-flow.ts", "../src/pack-client.ts", "../src/token-refresh.ts", "../src/sops.ts"],
4
+ "sourcesContent": ["/**\n * CLI plugin entry point for @clef-sh/cloud.\n *\n * Loaded dynamically by @clef-sh/cli via `import(\"@clef-sh/cloud/cli\")`.\n * Registers cloud-specific commands (init, login, status) on the Commander program.\n */\nexport { registerCloudCommands } from \"./commands/cloud\";\nexport type { CloudCliDeps } from \"./commands/cloud\";\n", "import * as path from \"path\";\nimport { Command } from \"commander\";\nimport {\n ManifestParser,\n MatrixManager,\n SubprocessRunner,\n SopsClient,\n readManifestYaml,\n writeManifestYaml,\n} from \"@clef-sh/core\";\nimport {\n readCloudCredentials,\n writeCloudCredentials,\n resolveKeyservicePath,\n initiateDeviceFlow,\n pollDeviceFlow,\n spawnKeyservice,\n resolveAccessToken,\n CLOUD_DEFAULT_ENDPOINT,\n} from \"../index\";\nimport type { DevicePollResult, ClefCloudCredentials } from \"../index\";\n\nconst POLL_INTERVAL_MS = 2000;\n\n/** CLI utilities injected by the host CLI package. */\nexport interface CloudCliDeps {\n runner: SubprocessRunner;\n formatter: {\n print(msg: string): void;\n success(msg: string): void;\n error(msg: string): void;\n warn(msg: string): void;\n info(msg: string): void;\n hint(msg: string): void;\n };\n sym(name: string): string;\n openBrowser(url: string, runner: SubprocessRunner): Promise<boolean>;\n createSopsClient(\n repoRoot: string,\n runner: SubprocessRunner,\n keyserviceAddr?: string,\n ): Promise<SopsClient>;\n cliVersion: string;\n}\n\nexport function registerCloudCommands(program: Command, deps: CloudCliDeps): void {\n const { formatter, sym, runner } = deps;\n const cloud = program.command(\"cloud\").description(\"Manage Clef Cloud integration.\");\n\n cloud\n .command(\"status\")\n .description(\"Show Clef Cloud integration status.\")\n .action(async () => {\n try {\n const repoRoot = (program.opts().dir as string) || process.cwd();\n const parser = new ManifestParser();\n\n // Check manifest\n let manifest;\n try {\n manifest = parser.parse(path.join(repoRoot, \"clef.yaml\"));\n } catch {\n formatter.print(`${sym(\"info\")} No clef.yaml found in ${repoRoot}`);\n return;\n }\n\n formatter.print(`${sym(\"clef\")} Clef Cloud Status\\n`);\n\n // Cloud config\n if (manifest.cloud) {\n formatter.print(` Integration: ${manifest.cloud.integrationId}`);\n formatter.print(` Key ID: ${manifest.cloud.keyId}`);\n } else {\n formatter.print(` Cloud: not configured`);\n formatter.hint(\"\\n Run 'clef cloud init --env <environment>' to set up Cloud.\");\n return;\n }\n\n // Environments using cloud backend\n const cloudEnvs = manifest.environments.filter((e) => e.sops?.backend === \"cloud\");\n const defaultCloud = manifest.sops.default_backend === \"cloud\";\n if (cloudEnvs.length > 0 || defaultCloud) {\n const envNames = defaultCloud\n ? manifest.environments.map((e) => e.name)\n : cloudEnvs.map((e) => e.name);\n formatter.print(` Environments: ${envNames.join(\", \")}`);\n } else {\n formatter.print(` Environments: none using cloud backend`);\n }\n\n // Credentials\n const creds = readCloudCredentials();\n if (creds) {\n formatter.print(` Auth: authenticated`);\n formatter.print(` Endpoint: ${creds.endpoint}`);\n } else {\n formatter.print(` Auth: not authenticated`);\n formatter.hint(\" Run 'clef cloud login' to authenticate.\");\n }\n\n // Keyservice binary\n try {\n const ks = resolveKeyservicePath();\n formatter.print(` Keyservice: ${ks.source} (${ks.path})`);\n } catch {\n formatter.print(` Keyservice: not found`);\n formatter.hint(\" Install the cloud package: npm install @clef-sh/cloud\");\n }\n } catch (err) {\n const message = err instanceof Error ? err.message : String(err);\n formatter.error(message);\n process.exit(1);\n }\n });\n\n cloud\n .command(\"init\")\n .description(\"Set up Clef Cloud for an environment.\")\n .requiredOption(\"--env <environment>\", \"Target environment (e.g., production)\")\n .action(async (opts: { env: string }) => {\n try {\n const repoRoot = (program.opts().dir as string) || process.cwd();\n const parser = new ManifestParser();\n const manifest = parser.parse(path.join(repoRoot, \"clef.yaml\"));\n\n // Pre-checks\n const targetEnv = manifest.environments.find((e) => e.name === opts.env);\n if (!targetEnv) {\n formatter.error(\n `Environment '${opts.env}' not found in clef.yaml. ` +\n `Available: ${manifest.environments.map((e) => e.name).join(\", \")}`,\n );\n process.exit(1);\n return;\n }\n\n if (targetEnv.sops?.backend === \"cloud\" && manifest.cloud) {\n formatter.info(\n `Environment '${opts.env}' is already using Cloud backend ` +\n `(${manifest.cloud.keyId}). Nothing to do.`,\n );\n return;\n }\n\n // Verify keyservice binary is available\n let keyservicePath: string;\n try {\n keyservicePath = resolveKeyservicePath().path;\n } catch {\n formatter.error(\n \"Keyservice binary not found. Install the cloud package: npm install @clef-sh/cloud\",\n );\n process.exit(1);\n return;\n }\n\n formatter.print(`${sym(\"clef\")} Clef Cloud\\n`);\n\n // Device flow \u2014 auth + payment\n const existingCreds = readCloudCredentials();\n const cloudEndpoint = existingCreds?.endpoint ?? CLOUD_DEFAULT_ENDPOINT;\n formatter.print(` Endpoint: ${cloudEndpoint}`);\n formatter.print(\n ` Creds: ${existingCreds ? `authenticated=${existingCreds.refreshToken ? \"yes\" : \"no\"}, endpoint=${existingCreds.endpoint}` : \"none\"}`,\n );\n\n let integrationId: string;\n let keyId: string;\n let deviceFlowAccessToken: string | undefined;\n\n if (existingCreds && existingCreds.refreshToken && manifest.cloud) {\n // Already authenticated and cloud config exists \u2014 skip device flow\n integrationId = manifest.cloud.integrationId;\n keyId = manifest.cloud.keyId;\n formatter.print(` Using existing Cloud integration: ${keyId}`);\n } else {\n formatter.print(` Opening browser to set up Cloud for ${opts.env}...`);\n\n const session = await initiateDeviceFlow(cloudEndpoint, {\n repoName: path.basename(repoRoot),\n environment: opts.env,\n clientVersion: deps.cliVersion,\n flow: \"setup\",\n });\n\n formatter.print(` If the browser doesn't open, visit:\\n ${session.loginUrl}\\n`);\n\n await deps.openBrowser(session.loginUrl, runner);\n formatter.print(` Waiting for authorization... (press Ctrl+C to cancel)`);\n\n const result = await pollUntilComplete(session.pollUrl);\n\n if (\n result.status !== \"complete\" ||\n !result.token ||\n !result.integrationId ||\n !result.keyId\n ) {\n formatter.error(\n result.status === \"expired\"\n ? \"Session expired. Run 'clef cloud init' again.\"\n : \"Setup cancelled.\",\n );\n process.exit(1);\n return;\n }\n\n integrationId = result.integrationId;\n keyId = result.keyId;\n\n const creds: ClefCloudCredentials = {\n refreshToken: result.token,\n endpoint: existingCreds?.endpoint,\n cognitoDomain: result.cognitoDomain,\n clientId: result.clientId,\n };\n if (result.accessToken && result.accessTokenExpiresIn) {\n creds.accessToken = result.accessToken;\n creds.accessTokenExpiry = Date.now() + result.accessTokenExpiresIn * 1000;\n deviceFlowAccessToken = result.accessToken;\n }\n writeCloudCredentials(creds);\n formatter.success(\"Authorized\");\n }\n\n formatter.print(`\\n Provisioning Cloud backend for ${opts.env}...`);\n formatter.print(` ${sym(\"success\")} KMS key provisioned: ${keyId}`);\n\n formatter.print(`\\n Migrating ${opts.env} secrets to Cloud backend...`);\n\n // Build the cloud-enabled manifest in memory \u2014 don't write to disk yet\n // so a failed migration can be retried with `clef cloud init` again.\n const cloudManifest = structuredClone(manifest);\n cloudManifest.cloud = { integrationId, keyId };\n const cloudEnv = cloudManifest.environments.find((e) => e.name === opts.env);\n if (cloudEnv) {\n cloudEnv.sops = { backend: \"cloud\" };\n }\n\n const matrixManager = new MatrixManager();\n const cells = matrixManager\n .resolveMatrix(manifest, repoRoot)\n .filter((c) => c.environment === opts.env && c.exists);\n\n if (cells.length === 0) {\n formatter.print(` No encrypted files found for ${opts.env}.`);\n } else {\n const ageSopsClient = await deps.createSopsClient(repoRoot, runner);\n const { accessToken, endpoint: ksEndpoint } = deviceFlowAccessToken\n ? { accessToken: deviceFlowAccessToken, endpoint: cloudEndpoint }\n : await resolveAccessToken();\n\n const ksHandle = await spawnKeyservice({\n binaryPath: keyservicePath,\n token: accessToken,\n endpoint: ksEndpoint,\n });\n\n try {\n const cloudSopsClient = await deps.createSopsClient(repoRoot, runner, ksHandle.addr);\n\n for (const cell of cells) {\n const decrypted = await ageSopsClient.decrypt(cell.filePath);\n await cloudSopsClient.encrypt(\n cell.filePath,\n decrypted.values,\n cloudManifest,\n cell.environment,\n );\n const relPath = path.relative(repoRoot, cell.filePath);\n formatter.print(` ${sym(\"success\")} ${relPath}`);\n }\n\n formatter.print(`\\n Verifying encrypted files...`);\n for (const cell of cells) {\n await cloudSopsClient.decrypt(cell.filePath);\n const relPath = path.relative(repoRoot, cell.filePath);\n formatter.print(` ${sym(\"success\")} ${relPath}`);\n }\n } finally {\n await ksHandle.kill();\n }\n }\n\n // Migration succeeded \u2014 now persist the manifest changes\n const rawManifest = readManifestYaml(repoRoot);\n rawManifest.cloud = { integrationId, keyId };\n const envs = rawManifest.environments as Array<Record<string, unknown>>;\n const targetRawEnv = envs.find((e) => e.name === opts.env);\n if (targetRawEnv) {\n targetRawEnv.sops = { backend: \"cloud\" };\n }\n writeManifestYaml(repoRoot, rawManifest);\n\n formatter.print(`\\n ${sym(\"success\")} Cloud setup complete.\\n`);\n formatter.print(` Your ${opts.env} environment now uses Clef Cloud for encryption.`);\n formatter.print(` Other environments continue to use age keys locally.\\n`);\n formatter.hint(\" Commit your changes: git add clef.yaml && git commit\");\n } catch (err) {\n const message = err instanceof Error ? err.message : String(err);\n formatter.error(message);\n process.exit(1);\n }\n });\n\n cloud\n .command(\"login\")\n .description(\"Authenticate with Clef Cloud.\")\n .action(async () => {\n try {\n formatter.print(`${sym(\"clef\")} Clef Cloud\\n`);\n\n const existingCreds = readCloudCredentials();\n const endpoint = existingCreds?.endpoint;\n\n const session = await initiateDeviceFlow(endpoint, {\n repoName: path.basename(process.cwd()),\n clientVersion: deps.cliVersion,\n flow: \"login\",\n });\n\n formatter.print(` Opening browser to log in...`);\n formatter.print(` If the browser doesn't open, visit:\\n ${session.loginUrl}\\n`);\n\n const opened = await deps.openBrowser(session.loginUrl, runner);\n if (!opened) {\n formatter.warn(\"Could not open browser automatically. Visit the URL above.\");\n }\n\n formatter.print(` Waiting for authorization... (press Ctrl+C to cancel)`);\n\n const result = await pollUntilComplete(session.pollUrl);\n\n if (result.status === \"expired\") {\n formatter.error(\"Session expired. Run 'clef cloud login' again.\");\n process.exit(1);\n return;\n }\n if (result.status === \"cancelled\") {\n formatter.info(\"Login cancelled.\");\n return;\n }\n\n if (result.token) {\n const creds: ClefCloudCredentials = {\n refreshToken: result.token,\n endpoint,\n cognitoDomain: result.cognitoDomain,\n clientId: result.clientId,\n };\n if (result.accessToken && result.accessTokenExpiresIn) {\n creds.accessToken = result.accessToken;\n creds.accessTokenExpiry = Date.now() + result.accessTokenExpiresIn * 1000;\n }\n writeCloudCredentials(creds);\n formatter.success(\"Logged in. Credentials saved to ~/.clef/credentials.yaml\");\n }\n } catch (err) {\n const message = err instanceof Error ? err.message : String(err);\n formatter.error(message);\n process.exit(1);\n }\n });\n}\n\nasync function pollUntilComplete(pollUrl: string): Promise<DevicePollResult> {\n for (;;) {\n const result = await pollDeviceFlow(pollUrl);\n if (\n result.status === \"complete\" ||\n result.status === \"expired\" ||\n result.status === \"cancelled\"\n ) {\n return result;\n }\n await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));\n }\n}\n", "/**\n * Manages the clef-keyservice sidecar lifecycle: spawn, port discovery, graceful shutdown.\n *\n * The keyservice binary is a localhost gRPC server that proxies KMS encrypt/decrypt\n * operations to the Cloud API. The CLI spawns it per command and kills it when done.\n */\nimport { spawn, type ChildProcess } from \"child_process\";\nimport * as readline from \"readline\";\n\nexport interface KeyserviceHandle {\n /** Address for SOPS --keyservice flag, e.g. \"tcp://127.0.0.1:12345\". */\n addr: string;\n /** Gracefully stop the keyservice process. */\n kill(): Promise<void>;\n}\n\nconst PORT_REGEX = /^PORT=(\\d+)$/;\nconst STARTUP_TIMEOUT_MS = 5000;\nconst SHUTDOWN_TIMEOUT_MS = 3000;\n\n/**\n * Spawn a clef-keyservice sidecar process and wait for it to report its port.\n *\n * @param options.binaryPath - Absolute path to the clef-keyservice binary.\n * @param options.token - Cloud bearer token for API authentication.\n * @param options.endpoint - Optional Cloud API endpoint override.\n * @returns A handle with the keyservice address and a kill function.\n */\nexport async function spawnKeyservice(options: {\n binaryPath: string;\n token: string;\n endpoint?: string;\n}): Promise<KeyserviceHandle> {\n const args = [\"--addr\", \"127.0.0.1:0\"];\n if (options.endpoint) {\n args.push(\"--endpoint\", options.endpoint);\n }\n\n // Token passed via env var \u2014 CLI args are visible in /proc/<pid>/cmdline\n const child = spawn(options.binaryPath, args, {\n stdio: [\"ignore\", \"pipe\", \"pipe\"],\n env: { ...process.env, CLEF_CLOUD_TOKEN: options.token },\n });\n\n const port = await readPort(child);\n const addr = `tcp://127.0.0.1:${port}`;\n\n return {\n addr,\n kill: () => killGracefully(child),\n };\n}\n\nfunction readPort(child: ChildProcess): Promise<number> {\n return new Promise((resolve, reject) => {\n let settled = false;\n\n const rl = readline.createInterface({ input: child.stdout! });\n\n function settle() {\n clearTimeout(timer);\n rl.close();\n }\n\n const timer = setTimeout(() => {\n if (!settled) {\n settled = true;\n settle();\n child.kill(\"SIGKILL\");\n reject(new Error(\"Keyservice did not start within 5 seconds.\"));\n }\n }, STARTUP_TIMEOUT_MS);\n\n rl.on(\"line\", (line) => {\n const match = PORT_REGEX.exec(line);\n if (match && !settled) {\n settled = true;\n settle();\n resolve(parseInt(match[1], 10));\n }\n });\n\n child.on(\"error\", (err) => {\n if (!settled) {\n settled = true;\n settle();\n reject(new Error(`Failed to start keyservice: ${err.message}`));\n }\n });\n\n child.on(\"exit\", (code) => {\n if (!settled) {\n settled = true;\n settle();\n reject(new Error(`Keyservice exited unexpectedly with code ${code}.`));\n }\n });\n });\n}\n\nfunction killGracefully(child: ChildProcess): Promise<void> {\n return new Promise((resolve) => {\n if (child.exitCode !== null) {\n resolve();\n return;\n }\n const timer = setTimeout(() => {\n child.kill(\"SIGKILL\");\n }, SHUTDOWN_TIMEOUT_MS);\n child.on(\"exit\", () => {\n clearTimeout(timer);\n resolve();\n });\n child.kill(\"SIGTERM\");\n });\n}\n", "/**\n * Resolves the path to the `clef-keyservice` binary using a three-tier resolution chain:\n *\n * 1. `CLEF_KEYSERVICE_PATH` environment variable (explicit user override)\n * 2. Bundled platform-specific package (`@clef-sh/keyservice-{os}-{arch}`)\n * 3. System PATH fallback (bare `\"clef-keyservice\"` command name)\n *\n * Mirrors the resolution pattern in sops/resolver.ts.\n */\nimport * as fs from \"fs\";\nimport * as path from \"path\";\nimport { tryBundledKeyservice } from \"./bundled\";\n\nfunction validateKeyservicePath(candidate: string): void {\n if (!path.isAbsolute(candidate)) {\n throw new Error(`CLEF_KEYSERVICE_PATH must be an absolute path, got '${candidate}'.`);\n }\n const segments = candidate.split(/[/\\\\]/);\n if (segments.includes(\"..\")) {\n throw new Error(\n `CLEF_KEYSERVICE_PATH contains '..' path segments ('${candidate}'). ` +\n \"Use an absolute path without directory traversal.\",\n );\n }\n}\n\nexport type KeyserviceSource = \"env\" | \"bundled\" | \"system\";\n\nexport interface KeyserviceResolution {\n /** Absolute path to the keyservice binary, or \"clef-keyservice\" for system PATH fallback. */\n path: string;\n /** How the binary was located. */\n source: KeyserviceSource;\n}\n\nlet cached: KeyserviceResolution | undefined;\n\n/**\n * Resolve the clef-keyservice binary path.\n *\n * Resolution order:\n * 1. `CLEF_KEYSERVICE_PATH` env var \u2014 explicit override, used as-is\n * 2. Bundled `@clef-sh/keyservice-{platform}-{arch}` package\n * 3. System PATH fallback \u2014 returns bare `\"clef-keyservice\"`\n *\n * The result is cached module-wide. Call {@link resetKeyserviceResolution} in tests\n * to clear the cache.\n */\nexport function resolveKeyservicePath(): KeyserviceResolution {\n if (cached) return cached;\n\n // 1. Explicit environment override\n const envPath = process.env.CLEF_KEYSERVICE_PATH?.trim();\n if (envPath) {\n validateKeyservicePath(envPath);\n if (!fs.existsSync(envPath)) {\n throw new Error(`CLEF_KEYSERVICE_PATH points to '${envPath}' but the file does not exist.`);\n }\n cached = { path: envPath, source: \"env\" };\n return cached;\n }\n\n // 2. Bundled platform package\n const bundledPath = tryBundledKeyservice();\n if (bundledPath) {\n cached = { path: bundledPath, source: \"bundled\" };\n return cached;\n }\n\n // 3. System PATH fallback\n cached = { path: \"clef-keyservice\", source: \"system\" };\n return cached;\n}\n\n/**\n * Clear the cached resolution. Only intended for use in tests.\n */\nexport function resetKeyserviceResolution(): void {\n cached = undefined;\n}\n", "/**\n * Locates the bundled clef-keyservice binary from the platform-specific npm package.\n * Mirrors sops/bundled.ts \u2014 extracted for testability.\n */\nimport * as fs from \"fs\";\nimport * as path from \"path\";\n\n/**\n * Try to locate the bundled keyservice binary from the platform-specific npm package.\n * Returns the resolved path or null if the package is not installed.\n */\nexport function tryBundledKeyservice(): string | null {\n const platform = process.platform;\n const arch = process.arch;\n\n const archName = arch === \"x64\" ? \"x64\" : arch === \"arm64\" ? \"arm64\" : null;\n if (!archName) return null;\n\n const platformName =\n platform === \"darwin\"\n ? \"darwin\"\n : platform === \"linux\"\n ? \"linux\"\n : platform === \"win32\"\n ? \"win32\"\n : null;\n if (!platformName) return null;\n\n const packageName = `@clef-sh/keyservice-${platformName}-${archName}`;\n const binName = platform === \"win32\" ? \"clef-keyservice.exe\" : \"clef-keyservice\";\n\n try {\n const packageMain = require.resolve(`${packageName}/package.json`);\n const packageDir = path.dirname(packageMain);\n const binPath = path.join(packageDir, \"bin\", binName);\n return fs.existsSync(binPath) ? binPath : null;\n } catch {\n return null;\n }\n}\n", "import * as fs from \"fs\";\nimport * as path from \"path\";\nimport * as os from \"os\";\nimport * as YAML from \"yaml\";\nimport type { ClefCloudCredentials } from \"./types\";\nimport { CLOUD_DEFAULT_ENDPOINT } from \"./constants\";\n\nconst CREDENTIALS_FILENAME = \"credentials.yaml\";\n\n/**\n * Read Cloud credentials from ~/.clef/credentials.yaml.\n * Returns null if the file does not exist or is malformed.\n */\nexport function readCloudCredentials(): ClefCloudCredentials | null {\n const credPath = path.join(os.homedir(), \".clef\", CREDENTIALS_FILENAME);\n\n let raw: unknown;\n try {\n raw = YAML.parse(fs.readFileSync(credPath, \"utf-8\"));\n } catch {\n return null;\n }\n\n if (!raw || typeof raw !== \"object\") return null;\n const obj = raw as Record<string, unknown>;\n\n const refreshToken = typeof obj.refreshToken === \"string\" ? obj.refreshToken : \"\";\n const accessToken = typeof obj.accessToken === \"string\" ? obj.accessToken : undefined;\n const accessTokenExpiry =\n typeof obj.accessTokenExpiry === \"number\" ? obj.accessTokenExpiry : undefined;\n const endpoint = typeof obj.endpoint === \"string\" ? obj.endpoint : CLOUD_DEFAULT_ENDPOINT;\n const cognitoDomain = typeof obj.cognitoDomain === \"string\" ? obj.cognitoDomain : undefined;\n const clientId = typeof obj.clientId === \"string\" ? obj.clientId : undefined;\n\n if (!refreshToken && endpoint === CLOUD_DEFAULT_ENDPOINT) return null;\n\n return { refreshToken, accessToken, accessTokenExpiry, endpoint, cognitoDomain, clientId };\n}\n\n/**\n * Write Cloud credentials to ~/.clef/credentials.yaml.\n * Creates ~/.clef/ with mode 0700 if it doesn't exist.\n * File is written with mode 0600 (owner read/write only).\n */\nexport function writeCloudCredentials(credentials: ClefCloudCredentials): void {\n const clefDir = path.join(os.homedir(), \".clef\");\n fs.mkdirSync(clefDir, { recursive: true, mode: 0o700 });\n const credPath = path.join(clefDir, CREDENTIALS_FILENAME);\n\n const content = Object.fromEntries(\n Object.entries(credentials).filter(([, v]) => v !== undefined),\n );\n\n fs.writeFileSync(credPath, YAML.stringify(content), { mode: 0o600 });\n}\n", "export const CLOUD_DEFAULT_ENDPOINT = \"https://api.clef.sh\";\n", "/**\n * Device flow client for Clef Cloud authentication.\n *\n * The CLI initiates a device flow session, opens the browser to the login URL,\n * and polls until the user completes auth + payment. Same pattern as\n * `gh auth login` and Claude Code.\n */\nimport { CLOUD_DEFAULT_ENDPOINT } from \"./constants\";\n\nexport interface DeviceSession {\n sessionId: string;\n loginUrl: string;\n pollUrl: string;\n /** Session lifetime in seconds. */\n expiresIn: number;\n}\n\nexport type DeviceFlowType = \"login\" | \"setup\";\n\nexport interface DevicePollResult {\n status: \"pending\" | \"awaiting_payment\" | \"complete\" | \"cancelled\" | \"expired\";\n /** Cognito refresh token. Present when status is \"complete\". */\n token?: string;\n /** Cognito access token. Present when status is \"complete\". */\n accessToken?: string;\n /** Access token lifetime in seconds. Present alongside accessToken. */\n accessTokenExpiresIn?: number;\n /** Present when status is \"complete\". */\n integrationId?: string;\n /** Present when status is \"complete\". */\n keyId?: string;\n /** Cognito OAuth2 domain URL for token refresh. Present when status is \"complete\". */\n cognitoDomain?: string;\n /** CLI Cognito app client ID. Present when status is \"complete\". */\n clientId?: string;\n}\n\n/**\n * Initiate a device flow session with the Cloud API.\n *\n * @param endpoint - Cloud API base URL. Defaults to https://api.clef.sh.\n * @param options - Session metadata carried into the browser flow.\n * @returns The session with a login URL to open in the browser.\n */\nexport async function initiateDeviceFlow(\n endpoint: string | undefined,\n options: {\n repoName: string;\n environment?: string;\n clientVersion: string;\n flow: DeviceFlowType;\n },\n): Promise<DeviceSession> {\n const base = endpoint ?? CLOUD_DEFAULT_ENDPOINT;\n const payload: Record<string, string> = {\n clientType: \"cli\",\n clientVersion: options.clientVersion,\n repoName: options.repoName,\n flow: options.flow,\n };\n if (options.environment) {\n payload.environment = options.environment;\n }\n let res: Response;\n try {\n res = await fetch(`${base}/api/v1/device/init`, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify(payload),\n });\n } catch (err) {\n const cause = err instanceof Error ? (err as Error & { cause?: unknown }).cause : undefined;\n const reason =\n cause instanceof Error ? cause.message : err instanceof Error ? err.message : String(err);\n throw new Error(`Could not reach Clef Cloud at ${base}: ${reason}`);\n }\n\n if (!res.ok) {\n const body = await res.text().catch(() => \"\");\n throw new Error(`Device flow init failed (${res.status}): ${body}`);\n }\n\n const json = await res.json();\n // Support both { data: { ... } } (saas API) and flat { ... } formats\n const session = (json.data ?? json) as DeviceSession;\n\n // The API may return a relative pollUrl \u2014 resolve it against the base\n if (session.pollUrl && !session.pollUrl.startsWith(\"http\")) {\n session.pollUrl = `${base}${session.pollUrl}`;\n }\n\n return session;\n}\n\n/**\n * Poll a device flow session for completion.\n *\n * @param pollUrl - The full poll URL returned by {@link initiateDeviceFlow}.\n * @returns The current session state.\n */\nexport async function pollDeviceFlow(pollUrl: string): Promise<DevicePollResult> {\n let res: Response;\n try {\n res = await fetch(pollUrl);\n } catch (err) {\n const cause = err instanceof Error ? (err as Error & { cause?: unknown }).cause : undefined;\n const reason =\n cause instanceof Error ? cause.message : err instanceof Error ? err.message : String(err);\n throw new Error(`Could not reach Clef Cloud poll endpoint: ${reason}`);\n }\n\n if (!res.ok) {\n const body = await res.text().catch(() => \"\");\n throw new Error(`Device flow poll failed (${res.status}): ${body}`);\n }\n\n const json = await res.json();\n return (json.data ?? json) as DevicePollResult;\n}\n", "/**\n * HTTP client for the Cloud pack endpoint.\n *\n * Used by `clef pack --remote` to send encrypted files to Cloud for packing.\n */\nimport * as fs from \"fs\";\nimport * as path from \"path\";\nimport type { ClefManifest, MatrixCell } from \"@clef-sh/core\";\nimport { MatrixManager } from \"@clef-sh/core\";\nimport { CLOUD_DEFAULT_ENDPOINT } from \"./constants\";\n\nexport interface RemotePackConfig {\n identity: string;\n environment: string;\n manifest: ClefManifest;\n repoRoot: string;\n ttl?: number;\n}\n\nexport interface RemotePackResult {\n revision: string;\n artifactSize: number;\n identity: string;\n environment: string;\n}\n\nexport class CloudPackClient {\n private readonly endpoint: string;\n\n constructor(endpoint?: string) {\n this.endpoint = endpoint ?? CLOUD_DEFAULT_ENDPOINT;\n }\n\n async pack(token: string, config: RemotePackConfig): Promise<RemotePackResult> {\n const matrixManager = new MatrixManager();\n const cells = matrixManager\n .resolveMatrix(config.manifest, config.repoRoot)\n .filter((c: MatrixCell) => c.environment === config.environment && c.exists);\n\n const formData = new FormData();\n\n const configJson = JSON.stringify({\n identity: config.identity,\n environment: config.environment,\n ...(config.ttl ? { ttl: config.ttl } : {}),\n });\n formData.append(\"config\", new Blob([configJson], { type: \"application/json\" }));\n\n const manifestPath = path.join(config.repoRoot, \"clef.yaml\");\n const manifestContent = fs.readFileSync(manifestPath, \"utf-8\");\n formData.append(\"manifest\", new Blob([manifestContent], { type: \"text/yaml\" }));\n\n for (const cell of cells) {\n const relPath = path.relative(config.repoRoot, cell.filePath);\n const content = fs.readFileSync(cell.filePath, \"utf-8\");\n formData.append(`files`, new Blob([content], { type: \"text/yaml\" }), relPath);\n }\n\n const res = await fetch(`${this.endpoint}/api/v1/cloud/pack`, {\n method: \"POST\",\n headers: { Authorization: `Bearer ${token}` },\n body: formData,\n });\n\n if (!res.ok) {\n const body = await res.text().catch(() => \"\");\n throw new Error(`Cloud pack failed (${res.status}): ${body}`);\n }\n\n return (await res.json()) as RemotePackResult;\n }\n}\n\n/**\n * HTTP client for uploading a locally-packed artifact to Cloud.\n *\n * Used by `clef pack --push`.\n */\nexport class CloudArtifactClient {\n private readonly endpoint: string;\n\n constructor(endpoint?: string) {\n this.endpoint = endpoint ?? CLOUD_DEFAULT_ENDPOINT;\n }\n\n async upload(\n token: string,\n config: { identity: string; environment: string; artifactJson: string },\n ): Promise<void> {\n const res = await fetch(\n `${this.endpoint}/api/v1/cloud/artifacts/${config.identity}/${config.environment}`,\n {\n method: \"PUT\",\n headers: {\n Authorization: `Bearer ${token}`,\n \"Content-Type\": \"application/json\",\n },\n body: config.artifactJson,\n },\n );\n\n if (!res.ok) {\n const body = await res.text().catch(() => \"\");\n throw new Error(`Artifact upload failed (${res.status}): ${body}`);\n }\n }\n}\n", "/**\n * Cognito token refresh via the OAuth2 token endpoint.\n *\n * Uses plain HTTP \u2014 no AWS SDK dependency. The Cognito token endpoint\n * accepts refresh tokens and returns fresh access tokens.\n */\n\nexport interface TokenRefreshConfig {\n cognitoDomain: string;\n clientId: string;\n refreshToken: string;\n}\n\nexport interface TokenRefreshResult {\n accessToken: string;\n idToken: string;\n expiresIn: number;\n}\n\n/**\n * Refresh a Cognito access token using a refresh token.\n *\n * Calls the Cognito OAuth2 token endpoint directly:\n * POST https://<domain>.auth.<region>.amazoncognito.com/oauth2/token\n *\n * @returns Fresh access token, ID token, and expiry (seconds).\n * @throws If the refresh token is expired or invalid.\n */\nexport async function refreshAccessToken(config: TokenRefreshConfig): Promise<TokenRefreshResult> {\n const url = `${config.cognitoDomain}/oauth2/token`;\n\n const body = new URLSearchParams({\n grant_type: \"refresh_token\",\n client_id: config.clientId,\n refresh_token: config.refreshToken,\n });\n\n const res = await fetch(url, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n body: body.toString(),\n });\n\n if (!res.ok) {\n const text = await res.text().catch(() => \"\");\n if (res.status === 400 && text.includes(\"invalid_grant\")) {\n throw new Error(\n \"Refresh token expired or revoked. Run 'clef cloud login' to re-authenticate.\",\n );\n }\n throw new Error(`Token refresh failed (${res.status}): ${text}`);\n }\n\n const data = (await res.json()) as {\n access_token: string;\n id_token: string;\n expires_in: number;\n token_type: string;\n };\n\n return {\n accessToken: data.access_token,\n idToken: data.id_token,\n expiresIn: data.expires_in,\n };\n}\n", "/**\n * Cloud-aware SopsClient factory.\n *\n * Spawns the keyservice sidecar and creates a SopsClient with the keyservice\n * address for cloud backend decrypt/encrypt operations.\n */\nimport { SopsClient, SubprocessRunner } from \"@clef-sh/core\";\nimport { readCloudCredentials, writeCloudCredentials } from \"./credentials\";\nimport { resolveKeyservicePath } from \"./resolver\";\nimport { spawnKeyservice } from \"./keyservice\";\nimport { refreshAccessToken } from \"./token-refresh\";\n\nexport interface CloudSopsResult {\n client: SopsClient;\n cleanup: () => Promise<void>;\n}\n\nexport type CreateSopsClientFn = (\n repoRoot: string,\n runner: SubprocessRunner,\n keyserviceAddr?: string,\n) => Promise<SopsClient>;\n\n/**\n * Resolve a fresh Cognito access token.\n *\n * Priority:\n * 1. CLEF_CLOUD_REFRESH_TOKEN env var (CI)\n * 2. ~/.clef/credentials.yaml refreshToken (interactive)\n *\n * If a cached access token exists and hasn't expired, returns it.\n * Otherwise refreshes via the Cognito token endpoint.\n */\nexport async function resolveAccessToken(): Promise<{ accessToken: string; endpoint?: string }> {\n // Service account token \u2014 used in CI, no refresh needed\n const clefToken = process.env.CLEF_TOKEN;\n if (clefToken) {\n const creds = readCloudCredentials();\n return { accessToken: clefToken, endpoint: creds?.endpoint };\n }\n\n const creds = readCloudCredentials();\n const refreshToken = process.env.CLEF_CLOUD_REFRESH_TOKEN ?? creds?.refreshToken;\n\n if (!refreshToken) {\n throw new Error(\"Not authenticated. Run 'clef cloud login' to connect to Clef Cloud.\");\n }\n\n // Return cached access token if still valid (before checking Cognito config)\n if (\n creds?.accessToken &&\n creds?.accessTokenExpiry &&\n Date.now() < creds.accessTokenExpiry - 60000\n ) {\n return { accessToken: creds.accessToken, endpoint: creds?.endpoint };\n }\n\n if (!creds?.cognitoDomain || !creds?.clientId) {\n throw new Error(\"Missing Cognito configuration. Run 'clef cloud login' to re-authenticate.\");\n }\n\n const result = await refreshAccessToken({\n cognitoDomain: creds.cognitoDomain,\n clientId: creds.clientId,\n refreshToken,\n });\n\n writeCloudCredentials({\n ...creds,\n refreshToken,\n accessToken: result.accessToken,\n accessTokenExpiry: Date.now() + result.expiresIn * 1000,\n });\n\n return { accessToken: result.accessToken, endpoint: creds?.endpoint };\n}\n\n/**\n * Create a SopsClient backed by the cloud keyservice sidecar.\n *\n * @param repoRoot - Repository root directory.\n * @param runner - Subprocess runner for SOPS invocations.\n * @param createSopsClient - Factory function from the CLI to create a SopsClient\n * (handles age credential resolution).\n */\nexport async function createCloudSopsClient(\n repoRoot: string,\n runner: SubprocessRunner,\n createSopsClient: CreateSopsClientFn,\n): Promise<CloudSopsResult> {\n const { accessToken, endpoint } = await resolveAccessToken();\n\n const binaryPath = resolveKeyservicePath().path;\n const handle = await spawnKeyservice({\n binaryPath,\n token: accessToken,\n endpoint,\n });\n\n const client = await createSopsClient(repoRoot, runner, handle.addr);\n return {\n client,\n cleanup: () => handle.kill(),\n };\n}\n"],
5
+ "mappings": ";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,IAAAA,QAAsB;AAEtB,IAAAC,eAOO;;;ACHP,2BAAyC;AACzC,eAA0B;AAS1B,IAAM,aAAa;AACnB,IAAM,qBAAqB;AAC3B,IAAM,sBAAsB;AAU5B,eAAsB,gBAAgB,SAIR;AAC5B,QAAM,OAAO,CAAC,UAAU,aAAa;AACrC,MAAI,QAAQ,UAAU;AACpB,SAAK,KAAK,cAAc,QAAQ,QAAQ;AAAA,EAC1C;AAGA,QAAM,YAAQ,4BAAM,QAAQ,YAAY,MAAM;AAAA,IAC5C,OAAO,CAAC,UAAU,QAAQ,MAAM;AAAA,IAChC,KAAK,EAAE,GAAG,QAAQ,KAAK,kBAAkB,QAAQ,MAAM;AAAA,EACzD,CAAC;AAED,QAAM,OAAO,MAAM,SAAS,KAAK;AACjC,QAAM,OAAO,mBAAmB,IAAI;AAEpC,SAAO;AAAA,IACL;AAAA,IACA,MAAM,MAAM,eAAe,KAAK;AAAA,EAClC;AACF;AAEA,SAAS,SAAS,OAAsC;AACtD,SAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,QAAI,UAAU;AAEd,UAAM,KAAc,yBAAgB,EAAE,OAAO,MAAM,OAAQ,CAAC;AAE5D,aAAS,SAAS;AAChB,mBAAa,KAAK;AAClB,SAAG,MAAM;AAAA,IACX;AAEA,UAAM,QAAQ,WAAW,MAAM;AAC7B,UAAI,CAAC,SAAS;AACZ,kBAAU;AACV,eAAO;AACP,cAAM,KAAK,SAAS;AACpB,eAAO,IAAI,MAAM,4CAA4C,CAAC;AAAA,MAChE;AAAA,IACF,GAAG,kBAAkB;AAErB,OAAG,GAAG,QAAQ,CAAC,SAAS;AACtB,YAAM,QAAQ,WAAW,KAAK,IAAI;AAClC,UAAI,SAAS,CAAC,SAAS;AACrB,kBAAU;AACV,eAAO;AACP,gBAAQ,SAAS,MAAM,CAAC,GAAG,EAAE,CAAC;AAAA,MAChC;AAAA,IACF,CAAC;AAED,UAAM,GAAG,SAAS,CAAC,QAAQ;AACzB,UAAI,CAAC,SAAS;AACZ,kBAAU;AACV,eAAO;AACP,eAAO,IAAI,MAAM,+BAA+B,IAAI,OAAO,EAAE,CAAC;AAAA,MAChE;AAAA,IACF,CAAC;AAED,UAAM,GAAG,QAAQ,CAAC,SAAS;AACzB,UAAI,CAAC,SAAS;AACZ,kBAAU;AACV,eAAO;AACP,eAAO,IAAI,MAAM,4CAA4C,IAAI,GAAG,CAAC;AAAA,MACvE;AAAA,IACF,CAAC;AAAA,EACH,CAAC;AACH;AAEA,SAAS,eAAe,OAAoC;AAC1D,SAAO,IAAI,QAAQ,CAAC,YAAY;AAC9B,QAAI,MAAM,aAAa,MAAM;AAC3B,cAAQ;AACR;AAAA,IACF;AACA,UAAM,QAAQ,WAAW,MAAM;AAC7B,YAAM,KAAK,SAAS;AAAA,IACtB,GAAG,mBAAmB;AACtB,UAAM,GAAG,QAAQ,MAAM;AACrB,mBAAa,KAAK;AAClB,cAAQ;AAAA,IACV,CAAC;AACD,UAAM,KAAK,SAAS;AAAA,EACtB,CAAC;AACH;;;AC1GA,IAAAC,MAAoB;AACpB,IAAAC,QAAsB;;;ACNtB,SAAoB;AACpB,WAAsB;AAMf,SAAS,uBAAsC;AACpD,QAAM,WAAW,QAAQ;AACzB,QAAM,OAAO,QAAQ;AAErB,QAAM,WAAW,SAAS,QAAQ,QAAQ,SAAS,UAAU,UAAU;AACvE,MAAI,CAAC,SAAU,QAAO;AAEtB,QAAM,eACJ,aAAa,WACT,WACA,aAAa,UACX,UACA,aAAa,UACX,UACA;AACV,MAAI,CAAC,aAAc,QAAO;AAE1B,QAAM,cAAc,uBAAuB,YAAY,IAAI,QAAQ;AACnE,QAAM,UAAU,aAAa,UAAU,wBAAwB;AAE/D,MAAI;AACF,UAAM,cAAc,QAAQ,QAAQ,GAAG,WAAW,eAAe;AACjE,UAAM,aAAkB,aAAQ,WAAW;AAC3C,UAAM,UAAe,UAAK,YAAY,OAAO,OAAO;AACpD,WAAU,cAAW,OAAO,IAAI,UAAU;AAAA,EAC5C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;AD1BA,SAAS,uBAAuB,WAAyB;AACvD,MAAI,CAAM,iBAAW,SAAS,GAAG;AAC/B,UAAM,IAAI,MAAM,uDAAuD,SAAS,IAAI;AAAA,EACtF;AACA,QAAM,WAAW,UAAU,MAAM,OAAO;AACxC,MAAI,SAAS,SAAS,IAAI,GAAG;AAC3B,UAAM,IAAI;AAAA,MACR,sDAAsD,SAAS;AAAA,IAEjE;AAAA,EACF;AACF;AAWA,IAAI;AAaG,SAAS,wBAA8C;AAC5D,MAAI,OAAQ,QAAO;AAGnB,QAAM,UAAU,QAAQ,IAAI,sBAAsB,KAAK;AACvD,MAAI,SAAS;AACX,2BAAuB,OAAO;AAC9B,QAAI,CAAI,eAAW,OAAO,GAAG;AAC3B,YAAM,IAAI,MAAM,mCAAmC,OAAO,gCAAgC;AAAA,IAC5F;AACA,aAAS,EAAE,MAAM,SAAS,QAAQ,MAAM;AACxC,WAAO;AAAA,EACT;AAGA,QAAM,cAAc,qBAAqB;AACzC,MAAI,aAAa;AACf,aAAS,EAAE,MAAM,aAAa,QAAQ,UAAU;AAChD,WAAO;AAAA,EACT;AAGA,WAAS,EAAE,MAAM,mBAAmB,QAAQ,SAAS;AACrD,SAAO;AACT;;;AExEA,IAAAC,MAAoB;AACpB,IAAAC,QAAsB;AACtB,SAAoB;AACpB,WAAsB;;;ACHf,IAAM,yBAAyB;;;ADOtC,IAAM,uBAAuB;AAMtB,SAAS,uBAAoD;AAClE,QAAM,WAAgB,WAAQ,WAAQ,GAAG,SAAS,oBAAoB;AAEtE,MAAI;AACJ,MAAI;AACF,UAAW,WAAS,iBAAa,UAAU,OAAO,CAAC;AAAA,EACrD,QAAQ;AACN,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,OAAO,OAAO,QAAQ,SAAU,QAAO;AAC5C,QAAM,MAAM;AAEZ,QAAM,eAAe,OAAO,IAAI,iBAAiB,WAAW,IAAI,eAAe;AAC/E,QAAM,cAAc,OAAO,IAAI,gBAAgB,WAAW,IAAI,cAAc;AAC5E,QAAM,oBACJ,OAAO,IAAI,sBAAsB,WAAW,IAAI,oBAAoB;AACtE,QAAM,WAAW,OAAO,IAAI,aAAa,WAAW,IAAI,WAAW;AACnE,QAAM,gBAAgB,OAAO,IAAI,kBAAkB,WAAW,IAAI,gBAAgB;AAClF,QAAM,WAAW,OAAO,IAAI,aAAa,WAAW,IAAI,WAAW;AAEnE,MAAI,CAAC,gBAAgB,aAAa,uBAAwB,QAAO;AAEjE,SAAO,EAAE,cAAc,aAAa,mBAAmB,UAAU,eAAe,SAAS;AAC3F;AAOO,SAAS,sBAAsB,aAAyC;AAC7E,QAAM,UAAe,WAAQ,WAAQ,GAAG,OAAO;AAC/C,EAAG,cAAU,SAAS,EAAE,WAAW,MAAM,MAAM,IAAM,CAAC;AACtD,QAAM,WAAgB,WAAK,SAAS,oBAAoB;AAExD,QAAM,UAAU,OAAO;AAAA,IACrB,OAAO,QAAQ,WAAW,EAAE,OAAO,CAAC,CAAC,EAAE,CAAC,MAAM,MAAM,MAAS;AAAA,EAC/D;AAEA,EAAG,kBAAc,UAAe,eAAU,OAAO,GAAG,EAAE,MAAM,IAAM,CAAC;AACrE;;;AEVA,eAAsB,mBACpB,UACA,SAMwB;AACxB,QAAM,OAAO,YAAY;AACzB,QAAM,UAAkC;AAAA,IACtC,YAAY;AAAA,IACZ,eAAe,QAAQ;AAAA,IACvB,UAAU,QAAQ;AAAA,IAClB,MAAM,QAAQ;AAAA,EAChB;AACA,MAAI,QAAQ,aAAa;AACvB,YAAQ,cAAc,QAAQ;AAAA,EAChC;AACA,MAAI;AACJ,MAAI;AACF,UAAM,MAAM,MAAM,GAAG,IAAI,uBAAuB;AAAA,MAC9C,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,MAC9C,MAAM,KAAK,UAAU,OAAO;AAAA,IAC9B,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,UAAM,QAAQ,eAAe,QAAS,IAAoC,QAAQ;AAClF,UAAM,SACJ,iBAAiB,QAAQ,MAAM,UAAU,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC1F,UAAM,IAAI,MAAM,iCAAiC,IAAI,KAAK,MAAM,EAAE;AAAA,EACpE;AAEA,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,MAAM,EAAE;AAC5C,UAAM,IAAI,MAAM,4BAA4B,IAAI,MAAM,MAAM,IAAI,EAAE;AAAA,EACpE;AAEA,QAAM,OAAO,MAAM,IAAI,KAAK;AAE5B,QAAM,UAAW,KAAK,QAAQ;AAG9B,MAAI,QAAQ,WAAW,CAAC,QAAQ,QAAQ,WAAW,MAAM,GAAG;AAC1D,YAAQ,UAAU,GAAG,IAAI,GAAG,QAAQ,OAAO;AAAA,EAC7C;AAEA,SAAO;AACT;AAQA,eAAsB,eAAe,SAA4C;AAC/E,MAAI;AACJ,MAAI;AACF,UAAM,MAAM,MAAM,OAAO;AAAA,EAC3B,SAAS,KAAK;AACZ,UAAM,QAAQ,eAAe,QAAS,IAAoC,QAAQ;AAClF,UAAM,SACJ,iBAAiB,QAAQ,MAAM,UAAU,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC1F,UAAM,IAAI,MAAM,6CAA6C,MAAM,EAAE;AAAA,EACvE;AAEA,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,MAAM,EAAE;AAC5C,UAAM,IAAI,MAAM,4BAA4B,IAAI,MAAM,MAAM,IAAI,EAAE;AAAA,EACpE;AAEA,QAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,SAAQ,KAAK,QAAQ;AACvB;;;AC9GA,kBAA8B;;;ACoB9B,eAAsB,mBAAmB,QAAyD;AAChG,QAAM,MAAM,GAAG,OAAO,aAAa;AAEnC,QAAM,OAAO,IAAI,gBAAgB;AAAA,IAC/B,YAAY;AAAA,IACZ,WAAW,OAAO;AAAA,IAClB,eAAe,OAAO;AAAA,EACxB,CAAC;AAED,QAAM,MAAM,MAAM,MAAM,KAAK;AAAA,IAC3B,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,IAC/D,MAAM,KAAK,SAAS;AAAA,EACtB,CAAC;AAED,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,MAAM,EAAE;AAC5C,QAAI,IAAI,WAAW,OAAO,KAAK,SAAS,eAAe,GAAG;AACxD,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,UAAM,IAAI,MAAM,yBAAyB,IAAI,MAAM,MAAM,IAAI,EAAE;AAAA,EACjE;AAEA,QAAM,OAAQ,MAAM,IAAI,KAAK;AAO7B,SAAO;AAAA,IACL,aAAa,KAAK;AAAA,IAClB,SAAS,KAAK;AAAA,IACd,WAAW,KAAK;AAAA,EAClB;AACF;;;AChCA,eAAsB,qBAA0E;AAE9F,QAAM,YAAY,QAAQ,IAAI;AAC9B,MAAI,WAAW;AACb,UAAMC,SAAQ,qBAAqB;AACnC,WAAO,EAAE,aAAa,WAAW,UAAUA,QAAO,SAAS;AAAA,EAC7D;AAEA,QAAM,QAAQ,qBAAqB;AACnC,QAAM,eAAe,QAAQ,IAAI,4BAA4B,OAAO;AAEpE,MAAI,CAAC,cAAc;AACjB,UAAM,IAAI,MAAM,qEAAqE;AAAA,EACvF;AAGA,MACE,OAAO,eACP,OAAO,qBACP,KAAK,IAAI,IAAI,MAAM,oBAAoB,KACvC;AACA,WAAO,EAAE,aAAa,MAAM,aAAa,UAAU,OAAO,SAAS;AAAA,EACrE;AAEA,MAAI,CAAC,OAAO,iBAAiB,CAAC,OAAO,UAAU;AAC7C,UAAM,IAAI,MAAM,2EAA2E;AAAA,EAC7F;AAEA,QAAM,SAAS,MAAM,mBAAmB;AAAA,IACtC,eAAe,MAAM;AAAA,IACrB,UAAU,MAAM;AAAA,IAChB;AAAA,EACF,CAAC;AAED,wBAAsB;AAAA,IACpB,GAAG;AAAA,IACH;AAAA,IACA,aAAa,OAAO;AAAA,IACpB,mBAAmB,KAAK,IAAI,IAAI,OAAO,YAAY;AAAA,EACrD,CAAC;AAED,SAAO,EAAE,aAAa,OAAO,aAAa,UAAU,OAAO,SAAS;AACtE;;;ATrDA,IAAM,mBAAmB;AAuBlB,SAAS,sBAAsB,SAAkB,MAA0B;AAChF,QAAM,EAAE,WAAW,KAAK,OAAO,IAAI;AACnC,QAAM,QAAQ,QAAQ,QAAQ,OAAO,EAAE,YAAY,gCAAgC;AAEnF,QACG,QAAQ,QAAQ,EAChB,YAAY,qCAAqC,EACjD,OAAO,YAAY;AAClB,QAAI;AACF,YAAM,WAAY,QAAQ,KAAK,EAAE,OAAkB,QAAQ,IAAI;AAC/D,YAAM,SAAS,IAAI,4BAAe;AAGlC,UAAI;AACJ,UAAI;AACF,mBAAW,OAAO,MAAW,WAAK,UAAU,WAAW,CAAC;AAAA,MAC1D,QAAQ;AACN,kBAAU,MAAM,GAAG,IAAI,MAAM,CAAC,2BAA2B,QAAQ,EAAE;AACnE;AAAA,MACF;AAEA,gBAAU,MAAM,GAAG,IAAI,MAAM,CAAC;AAAA,CAAuB;AAGrD,UAAI,SAAS,OAAO;AAClB,kBAAU,MAAM,oBAAoB,SAAS,MAAM,aAAa,EAAE;AAClE,kBAAU,MAAM,oBAAoB,SAAS,MAAM,KAAK,EAAE;AAAA,MAC5D,OAAO;AACL,kBAAU,MAAM,2BAA2B;AAC3C,kBAAU,KAAK,iEAAiE;AAChF;AAAA,MACF;AAGA,YAAM,YAAY,SAAS,aAAa,OAAO,CAAC,MAAM,EAAE,MAAM,YAAY,OAAO;AACjF,YAAM,eAAe,SAAS,KAAK,oBAAoB;AACvD,UAAI,UAAU,SAAS,KAAK,cAAc;AACxC,cAAM,WAAW,eACb,SAAS,aAAa,IAAI,CAAC,MAAM,EAAE,IAAI,IACvC,UAAU,IAAI,CAAC,MAAM,EAAE,IAAI;AAC/B,kBAAU,MAAM,oBAAoB,SAAS,KAAK,IAAI,CAAC,EAAE;AAAA,MAC3D,OAAO;AACL,kBAAU,MAAM,2CAA2C;AAAA,MAC7D;AAGA,YAAM,QAAQ,qBAAqB;AACnC,UAAI,OAAO;AACT,kBAAU,MAAM,gCAAgC;AAChD,kBAAU,MAAM,oBAAoB,MAAM,QAAQ,EAAE;AAAA,MACtD,OAAO;AACL,kBAAU,MAAM,oCAAoC;AACpD,kBAAU,KAAK,4CAA4C;AAAA,MAC7D;AAGA,UAAI;AACF,cAAM,KAAK,sBAAsB;AACjC,kBAAU,MAAM,oBAAoB,GAAG,MAAM,KAAK,GAAG,IAAI,GAAG;AAAA,MAC9D,QAAQ;AACN,kBAAU,MAAM,4BAA4B;AAC5C,kBAAU,KAAK,0DAA0D;AAAA,MAC3E;AAAA,IACF,SAAS,KAAK;AACZ,YAAM,UAAU,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC/D,gBAAU,MAAM,OAAO;AACvB,cAAQ,KAAK,CAAC;AAAA,IAChB;AAAA,EACF,CAAC;AAEH,QACG,QAAQ,MAAM,EACd,YAAY,uCAAuC,EACnD,eAAe,uBAAuB,uCAAuC,EAC7E,OAAO,OAAO,SAA0B;AACvC,QAAI;AACF,YAAM,WAAY,QAAQ,KAAK,EAAE,OAAkB,QAAQ,IAAI;AAC/D,YAAM,SAAS,IAAI,4BAAe;AAClC,YAAM,WAAW,OAAO,MAAW,WAAK,UAAU,WAAW,CAAC;AAG9D,YAAM,YAAY,SAAS,aAAa,KAAK,CAAC,MAAM,EAAE,SAAS,KAAK,GAAG;AACvE,UAAI,CAAC,WAAW;AACd,kBAAU;AAAA,UACR,gBAAgB,KAAK,GAAG,wCACR,SAAS,aAAa,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,KAAK,IAAI,CAAC;AAAA,QACrE;AACA,gBAAQ,KAAK,CAAC;AACd;AAAA,MACF;AAEA,UAAI,UAAU,MAAM,YAAY,WAAW,SAAS,OAAO;AACzD,kBAAU;AAAA,UACR,gBAAgB,KAAK,GAAG,qCAClB,SAAS,MAAM,KAAK;AAAA,QAC5B;AACA;AAAA,MACF;AAGA,UAAI;AACJ,UAAI;AACF,yBAAiB,sBAAsB,EAAE;AAAA,MAC3C,QAAQ;AACN,kBAAU;AAAA,UACR;AAAA,QACF;AACA,gBAAQ,KAAK,CAAC;AACd;AAAA,MACF;AAEA,gBAAU,MAAM,GAAG,IAAI,MAAM,CAAC;AAAA,CAAgB;AAG9C,YAAM,gBAAgB,qBAAqB;AAC3C,YAAM,gBAAgB,eAAe,YAAY;AACjD,gBAAU,MAAM,iBAAiB,aAAa,EAAE;AAChD,gBAAU;AAAA,QACR,iBAAiB,gBAAgB,iBAAiB,cAAc,eAAe,QAAQ,IAAI,cAAc,cAAc,QAAQ,KAAK,MAAM;AAAA,MAC5I;AAEA,UAAI;AACJ,UAAI;AACJ,UAAI;AAEJ,UAAI,iBAAiB,cAAc,gBAAgB,SAAS,OAAO;AAEjE,wBAAgB,SAAS,MAAM;AAC/B,gBAAQ,SAAS,MAAM;AACvB,kBAAU,MAAM,wCAAwC,KAAK,EAAE;AAAA,MACjE,OAAO;AACL,kBAAU,MAAM,0CAA0C,KAAK,GAAG,KAAK;AAEvE,cAAM,UAAU,MAAM,mBAAmB,eAAe;AAAA,UACtD,UAAe,eAAS,QAAQ;AAAA,UAChC,aAAa,KAAK;AAAA,UAClB,eAAe,KAAK;AAAA,UACpB,MAAM;AAAA,QACR,CAAC;AAED,kBAAU,MAAM;AAAA,KAA8C,QAAQ,QAAQ;AAAA,CAAI;AAElF,cAAM,KAAK,YAAY,QAAQ,UAAU,MAAM;AAC/C,kBAAU,MAAM,0DAA0D;AAE1E,cAAM,SAAS,MAAM,kBAAkB,QAAQ,OAAO;AAEtD,YACE,OAAO,WAAW,cAClB,CAAC,OAAO,SACR,CAAC,OAAO,iBACR,CAAC,OAAO,OACR;AACA,oBAAU;AAAA,YACR,OAAO,WAAW,YACd,kDACA;AAAA,UACN;AACA,kBAAQ,KAAK,CAAC;AACd;AAAA,QACF;AAEA,wBAAgB,OAAO;AACvB,gBAAQ,OAAO;AAEf,cAAM,QAA8B;AAAA,UAClC,cAAc,OAAO;AAAA,UACrB,UAAU,eAAe;AAAA,UACzB,eAAe,OAAO;AAAA,UACtB,UAAU,OAAO;AAAA,QACnB;AACA,YAAI,OAAO,eAAe,OAAO,sBAAsB;AACrD,gBAAM,cAAc,OAAO;AAC3B,gBAAM,oBAAoB,KAAK,IAAI,IAAI,OAAO,uBAAuB;AACrE,kCAAwB,OAAO;AAAA,QACjC;AACA,8BAAsB,KAAK;AAC3B,kBAAU,QAAQ,YAAY;AAAA,MAChC;AAEA,gBAAU,MAAM;AAAA,oCAAuC,KAAK,GAAG,KAAK;AACpE,gBAAU,MAAM,MAAM,IAAI,SAAS,CAAC,0BAA0B,KAAK,EAAE;AAErE,gBAAU,MAAM;AAAA,eAAkB,KAAK,GAAG,8BAA8B;AAIxE,YAAM,gBAAgB,gBAAgB,QAAQ;AAC9C,oBAAc,QAAQ,EAAE,eAAe,MAAM;AAC7C,YAAM,WAAW,cAAc,aAAa,KAAK,CAAC,MAAM,EAAE,SAAS,KAAK,GAAG;AAC3E,UAAI,UAAU;AACZ,iBAAS,OAAO,EAAE,SAAS,QAAQ;AAAA,MACrC;AAEA,YAAM,gBAAgB,IAAI,2BAAc;AACxC,YAAM,QAAQ,cACX,cAAc,UAAU,QAAQ,EAChC,OAAO,CAAC,MAAM,EAAE,gBAAgB,KAAK,OAAO,EAAE,MAAM;AAEvD,UAAI,MAAM,WAAW,GAAG;AACtB,kBAAU,MAAM,mCAAmC,KAAK,GAAG,GAAG;AAAA,MAChE,OAAO;AACL,cAAM,gBAAgB,MAAM,KAAK,iBAAiB,UAAU,MAAM;AAClE,cAAM,EAAE,aAAa,UAAU,WAAW,IAAI,wBAC1C,EAAE,aAAa,uBAAuB,UAAU,cAAc,IAC9D,MAAM,mBAAmB;AAE7B,cAAM,WAAW,MAAM,gBAAgB;AAAA,UACrC,YAAY;AAAA,UACZ,OAAO;AAAA,UACP,UAAU;AAAA,QACZ,CAAC;AAED,YAAI;AACF,gBAAM,kBAAkB,MAAM,KAAK,iBAAiB,UAAU,QAAQ,SAAS,IAAI;AAEnF,qBAAW,QAAQ,OAAO;AACxB,kBAAM,YAAY,MAAM,cAAc,QAAQ,KAAK,QAAQ;AAC3D,kBAAM,gBAAgB;AAAA,cACpB,KAAK;AAAA,cACL,UAAU;AAAA,cACV;AAAA,cACA,KAAK;AAAA,YACP;AACA,kBAAM,UAAe,eAAS,UAAU,KAAK,QAAQ;AACrD,sBAAU,MAAM,MAAM,IAAI,SAAS,CAAC,KAAK,OAAO,EAAE;AAAA,UACpD;AAEA,oBAAU,MAAM;AAAA,gCAAmC;AACnD,qBAAW,QAAQ,OAAO;AACxB,kBAAM,gBAAgB,QAAQ,KAAK,QAAQ;AAC3C,kBAAM,UAAe,eAAS,UAAU,KAAK,QAAQ;AACrD,sBAAU,MAAM,MAAM,IAAI,SAAS,CAAC,KAAK,OAAO,EAAE;AAAA,UACpD;AAAA,QACF,UAAE;AACA,gBAAM,SAAS,KAAK;AAAA,QACtB;AAAA,MACF;AAGA,YAAM,kBAAc,+BAAiB,QAAQ;AAC7C,kBAAY,QAAQ,EAAE,eAAe,MAAM;AAC3C,YAAM,OAAO,YAAY;AACzB,YAAM,eAAe,KAAK,KAAK,CAAC,MAAM,EAAE,SAAS,KAAK,GAAG;AACzD,UAAI,cAAc;AAChB,qBAAa,OAAO,EAAE,SAAS,QAAQ;AAAA,MACzC;AACA,0CAAkB,UAAU,WAAW;AAEvC,gBAAU,MAAM;AAAA,KAAQ,IAAI,SAAS,CAAC;AAAA,CAA2B;AACjE,gBAAU,MAAM,WAAW,KAAK,GAAG,kDAAkD;AACrF,gBAAU,MAAM;AAAA,CAA2D;AAC3E,gBAAU,KAAK,yDAAyD;AAAA,IAC1E,SAAS,KAAK;AACZ,YAAM,UAAU,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC/D,gBAAU,MAAM,OAAO;AACvB,cAAQ,KAAK,CAAC;AAAA,IAChB;AAAA,EACF,CAAC;AAEH,QACG,QAAQ,OAAO,EACf,YAAY,+BAA+B,EAC3C,OAAO,YAAY;AAClB,QAAI;AACF,gBAAU,MAAM,GAAG,IAAI,MAAM,CAAC;AAAA,CAAgB;AAE9C,YAAM,gBAAgB,qBAAqB;AAC3C,YAAM,WAAW,eAAe;AAEhC,YAAM,UAAU,MAAM,mBAAmB,UAAU;AAAA,QACjD,UAAe,eAAS,QAAQ,IAAI,CAAC;AAAA,QACrC,eAAe,KAAK;AAAA,QACpB,MAAM;AAAA,MACR,CAAC;AAED,gBAAU,MAAM,iCAAiC;AACjD,gBAAU,MAAM;AAAA,KAA8C,QAAQ,QAAQ;AAAA,CAAI;AAElF,YAAM,SAAS,MAAM,KAAK,YAAY,QAAQ,UAAU,MAAM;AAC9D,UAAI,CAAC,QAAQ;AACX,kBAAU,KAAK,4DAA4D;AAAA,MAC7E;AAEA,gBAAU,MAAM,0DAA0D;AAE1E,YAAM,SAAS,MAAM,kBAAkB,QAAQ,OAAO;AAEtD,UAAI,OAAO,WAAW,WAAW;AAC/B,kBAAU,MAAM,gDAAgD;AAChE,gBAAQ,KAAK,CAAC;AACd;AAAA,MACF;AACA,UAAI,OAAO,WAAW,aAAa;AACjC,kBAAU,KAAK,kBAAkB;AACjC;AAAA,MACF;AAEA,UAAI,OAAO,OAAO;AAChB,cAAM,QAA8B;AAAA,UAClC,cAAc,OAAO;AAAA,UACrB;AAAA,UACA,eAAe,OAAO;AAAA,UACtB,UAAU,OAAO;AAAA,QACnB;AACA,YAAI,OAAO,eAAe,OAAO,sBAAsB;AACrD,gBAAM,cAAc,OAAO;AAC3B,gBAAM,oBAAoB,KAAK,IAAI,IAAI,OAAO,uBAAuB;AAAA,QACvE;AACA,8BAAsB,KAAK;AAC3B,kBAAU,QAAQ,0DAA0D;AAAA,MAC9E;AAAA,IACF,SAAS,KAAK;AACZ,YAAM,UAAU,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC/D,gBAAU,MAAM,OAAO;AACvB,cAAQ,KAAK,CAAC;AAAA,IAChB;AAAA,EACF,CAAC;AACL;AAEA,eAAe,kBAAkB,SAA4C;AAC3E,aAAS;AACP,UAAM,SAAS,MAAM,eAAe,OAAO;AAC3C,QACE,OAAO,WAAW,cAClB,OAAO,WAAW,aAClB,OAAO,WAAW,aAClB;AACA,aAAO;AAAA,IACT;AACA,UAAM,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,gBAAgB,CAAC;AAAA,EACtE;AACF;",
6
+ "names": ["path", "import_core", "fs", "path", "fs", "path", "creds"]
7
+ }