@clef-sh/cloud 0.1.18-beta.85

package/dist/cli.mjs

@@ -0,0 +1,579 @@
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+
+// src/commands/cloud.ts
+import * as path4 from "path";
+import {
+  ManifestParser,
+  MatrixManager as MatrixManager2,
+  readManifestYaml,
+  writeManifestYaml
+} from "@clef-sh/core";
+
+// src/keyservice.ts
+import { spawn } from "child_process";
+import * as readline from "readline";
+var PORT_REGEX = /^PORT=(\d+)$/;
+var STARTUP_TIMEOUT_MS = 5e3;
+var SHUTDOWN_TIMEOUT_MS = 3e3;
+async function spawnKeyservice(options) {
+  const args = ["--addr", "127.0.0.1:0"];
+  if (options.endpoint) {
+    args.push("--endpoint", options.endpoint);
+  }
+  const child = spawn(options.binaryPath, args, {
+    stdio: ["ignore", "pipe", "pipe"],
+    env: { ...process.env, CLEF_CLOUD_TOKEN: options.token }
+  });
+  const port = await readPort(child);
+  const addr = `tcp://127.0.0.1:${port}`;
+  return {
+    addr,
+    kill: () => killGracefully(child)
+  };
+}
+function readPort(child) {
+  return new Promise((resolve, reject) => {
+    let settled = false;
+    const rl = readline.createInterface({ input: child.stdout });
+    function settle() {
+      clearTimeout(timer);
+      rl.close();
+    }
+    const timer = setTimeout(() => {
+      if (!settled) {
+        settled = true;
+        settle();
+        child.kill("SIGKILL");
+        reject(new Error("Keyservice did not start within 5 seconds."));
+      }
+    }, STARTUP_TIMEOUT_MS);
+    rl.on("line", (line) => {
+      const match = PORT_REGEX.exec(line);
+      if (match && !settled) {
+        settled = true;
+        settle();
+        resolve(parseInt(match[1], 10));
+      }
+    });
+    child.on("error", (err) => {
+      if (!settled) {
+        settled = true;
+        settle();
+        reject(new Error(`Failed to start keyservice: ${err.message}`));
+      }
+    });
+    child.on("exit", (code) => {
+      if (!settled) {
+        settled = true;
+        settle();
+        reject(new Error(`Keyservice exited unexpectedly with code ${code}.`));
+      }
+    });
+  });
+}
+function killGracefully(child) {
+  return new Promise((resolve) => {
+    if (child.exitCode !== null) {
+      resolve();
+      return;
+    }
+    const timer = setTimeout(() => {
+      child.kill("SIGKILL");
+    }, SHUTDOWN_TIMEOUT_MS);
+    child.on("exit", () => {
+      clearTimeout(timer);
+      resolve();
+    });
+    child.kill("SIGTERM");
+  });
+}
+
+// src/resolver.ts
+import * as fs2 from "fs";
+import * as path2 from "path";
+
+// src/bundled.ts
+import * as fs from "fs";
+import * as path from "path";
+function tryBundledKeyservice() {
+  const platform = process.platform;
+  const arch = process.arch;
+  const archName = arch === "x64" ? "x64" : arch === "arm64" ? "arm64" : null;
+  if (!archName) return null;
+  const platformName = platform === "darwin" ? "darwin" : platform === "linux" ? "linux" : platform === "win32" ? "win32" : null;
+  if (!platformName) return null;
+  const packageName = `@clef-sh/keyservice-${platformName}-${archName}`;
+  const binName = platform === "win32" ? "clef-keyservice.exe" : "clef-keyservice";
+  try {
+    const packageMain = __require.resolve(`${packageName}/package.json`);
+    const packageDir = path.dirname(packageMain);
+    const binPath = path.join(packageDir, "bin", binName);
+    return fs.existsSync(binPath) ? binPath : null;
+  } catch {
+    return null;
+  }
+}
+
+// src/resolver.ts
+function validateKeyservicePath(candidate) {
+  if (!path2.isAbsolute(candidate)) {
+    throw new Error(`CLEF_KEYSERVICE_PATH must be an absolute path, got '${candidate}'.`);
+  }
+  const segments = candidate.split(/[/\\]/);
+  if (segments.includes("..")) {
+    throw new Error(
+      `CLEF_KEYSERVICE_PATH contains '..' path segments ('${candidate}'). Use an absolute path without directory traversal.`
+    );
+  }
+}
+var cached;
+function resolveKeyservicePath() {
+  if (cached) return cached;
+  const envPath = process.env.CLEF_KEYSERVICE_PATH?.trim();
+  if (envPath) {
+    validateKeyservicePath(envPath);
+    if (!fs2.existsSync(envPath)) {
+      throw new Error(`CLEF_KEYSERVICE_PATH points to '${envPath}' but the file does not exist.`);
+    }
+    cached = { path: envPath, source: "env" };
+    return cached;
+  }
+  const bundledPath = tryBundledKeyservice();
+  if (bundledPath) {
+    cached = { path: bundledPath, source: "bundled" };
+    return cached;
+  }
+  cached = { path: "clef-keyservice", source: "system" };
+  return cached;
+}
+
+// src/credentials.ts
+import * as fs3 from "fs";
+import * as path3 from "path";
+import * as os from "os";
+import * as YAML from "yaml";
+
+// src/constants.ts
+var CLOUD_DEFAULT_ENDPOINT = "https://api.clef.sh";
+
+// src/credentials.ts
+var CREDENTIALS_FILENAME = "credentials.yaml";
+function readCloudCredentials() {
+  const credPath = path3.join(os.homedir(), ".clef", CREDENTIALS_FILENAME);
+  let raw;
+  try {
+    raw = YAML.parse(fs3.readFileSync(credPath, "utf-8"));
+  } catch {
+    return null;
+  }
+  if (!raw || typeof raw !== "object") return null;
+  const obj = raw;
+  const refreshToken = typeof obj.refreshToken === "string" ? obj.refreshToken : "";
+  const accessToken = typeof obj.accessToken === "string" ? obj.accessToken : void 0;
+  const accessTokenExpiry = typeof obj.accessTokenExpiry === "number" ? obj.accessTokenExpiry : void 0;
+  const endpoint = typeof obj.endpoint === "string" ? obj.endpoint : CLOUD_DEFAULT_ENDPOINT;
+  const cognitoDomain = typeof obj.cognitoDomain === "string" ? obj.cognitoDomain : void 0;
+  const clientId = typeof obj.clientId === "string" ? obj.clientId : void 0;
+  if (!refreshToken && endpoint === CLOUD_DEFAULT_ENDPOINT) return null;
+  return { refreshToken, accessToken, accessTokenExpiry, endpoint, cognitoDomain, clientId };
+}
+function writeCloudCredentials(credentials) {
+  const clefDir = path3.join(os.homedir(), ".clef");
+  fs3.mkdirSync(clefDir, { recursive: true, mode: 448 });
+  const credPath = path3.join(clefDir, CREDENTIALS_FILENAME);
+  const content = Object.fromEntries(
+    Object.entries(credentials).filter(([, v]) => v !== void 0)
+  );
+  fs3.writeFileSync(credPath, YAML.stringify(content), { mode: 384 });
+}
+
+// src/device-flow.ts
+async function initiateDeviceFlow(endpoint, options) {
+  const base = endpoint ?? CLOUD_DEFAULT_ENDPOINT;
+  const payload = {
+    clientType: "cli",
+    clientVersion: options.clientVersion,
+    repoName: options.repoName,
+    flow: options.flow
+  };
+  if (options.environment) {
+    payload.environment = options.environment;
+  }
+  let res;
+  try {
+    res = await fetch(`${base}/api/v1/device/init`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(payload)
+    });
+  } catch (err) {
+    const cause = err instanceof Error ? err.cause : void 0;
+    const reason = cause instanceof Error ? cause.message : err instanceof Error ? err.message : String(err);
+    throw new Error(`Could not reach Clef Cloud at ${base}: ${reason}`);
+  }
+  if (!res.ok) {
+    const body = await res.text().catch(() => "");
+    throw new Error(`Device flow init failed (${res.status}): ${body}`);
+  }
+  const json = await res.json();
+  const session = json.data ?? json;
+  if (session.pollUrl && !session.pollUrl.startsWith("http")) {
+    session.pollUrl = `${base}${session.pollUrl}`;
+  }
+  return session;
+}
+async function pollDeviceFlow(pollUrl) {
+  let res;
+  try {
+    res = await fetch(pollUrl);
+  } catch (err) {
+    const cause = err instanceof Error ? err.cause : void 0;
+    const reason = cause instanceof Error ? cause.message : err instanceof Error ? err.message : String(err);
+    throw new Error(`Could not reach Clef Cloud poll endpoint: ${reason}`);
+  }
+  if (!res.ok) {
+    const body = await res.text().catch(() => "");
+    throw new Error(`Device flow poll failed (${res.status}): ${body}`);
+  }
+  const json = await res.json();
+  return json.data ?? json;
+}
+
+// src/pack-client.ts
+import { MatrixManager } from "@clef-sh/core";
+
+// src/token-refresh.ts
+async function refreshAccessToken(config) {
+  const url = `${config.cognitoDomain}/oauth2/token`;
+  const body = new URLSearchParams({
+    grant_type: "refresh_token",
+    client_id: config.clientId,
+    refresh_token: config.refreshToken
+  });
+  const res = await fetch(url, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: body.toString()
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    if (res.status === 400 && text.includes("invalid_grant")) {
+      throw new Error(
+        "Refresh token expired or revoked. Run 'clef cloud login' to re-authenticate."
+      );
+    }
+    throw new Error(`Token refresh failed (${res.status}): ${text}`);
+  }
+  const data = await res.json();
+  return {
+    accessToken: data.access_token,
+    idToken: data.id_token,
+    expiresIn: data.expires_in
+  };
+}
+
+// src/sops.ts
+async function resolveAccessToken() {
+  const clefToken = process.env.CLEF_TOKEN;
+  if (clefToken) {
+    const creds2 = readCloudCredentials();
+    return { accessToken: clefToken, endpoint: creds2?.endpoint };
+  }
+  const creds = readCloudCredentials();
+  const refreshToken = process.env.CLEF_CLOUD_REFRESH_TOKEN ?? creds?.refreshToken;
+  if (!refreshToken) {
+    throw new Error("Not authenticated. Run 'clef cloud login' to connect to Clef Cloud.");
+  }
+  if (creds?.accessToken && creds?.accessTokenExpiry && Date.now() < creds.accessTokenExpiry - 6e4) {
+    return { accessToken: creds.accessToken, endpoint: creds?.endpoint };
+  }
+  if (!creds?.cognitoDomain || !creds?.clientId) {
+    throw new Error("Missing Cognito configuration. Run 'clef cloud login' to re-authenticate.");
+  }
+  const result = await refreshAccessToken({
+    cognitoDomain: creds.cognitoDomain,
+    clientId: creds.clientId,
+    refreshToken
+  });
+  writeCloudCredentials({
+    ...creds,
+    refreshToken,
+    accessToken: result.accessToken,
+    accessTokenExpiry: Date.now() + result.expiresIn * 1e3
+  });
+  return { accessToken: result.accessToken, endpoint: creds?.endpoint };
+}
+
+// src/commands/cloud.ts
+var POLL_INTERVAL_MS = 2e3;
+function registerCloudCommands(program, deps) {
+  const { formatter, sym, runner } = deps;
+  const cloud = program.command("cloud").description("Manage Clef Cloud integration.");
+  cloud.command("status").description("Show Clef Cloud integration status.").action(async () => {
+    try {
+      const repoRoot = program.opts().dir || process.cwd();
+      const parser = new ManifestParser();
+      let manifest;
+      try {
+        manifest = parser.parse(path4.join(repoRoot, "clef.yaml"));
+      } catch {
+        formatter.print(`${sym("info")}  No clef.yaml found in ${repoRoot}`);
+        return;
+      }
+      formatter.print(`${sym("clef")}  Clef Cloud Status
+`);
+      if (manifest.cloud) {
+        formatter.print(`   Integration:  ${manifest.cloud.integrationId}`);
+        formatter.print(`   Key ID:       ${manifest.cloud.keyId}`);
+      } else {
+        formatter.print(`   Cloud:  not configured`);
+        formatter.hint("\n   Run 'clef cloud init --env <environment>' to set up Cloud.");
+        return;
+      }
+      const cloudEnvs = manifest.environments.filter((e) => e.sops?.backend === "cloud");
+      const defaultCloud = manifest.sops.default_backend === "cloud";
+      if (cloudEnvs.length > 0 || defaultCloud) {
+        const envNames = defaultCloud ? manifest.environments.map((e) => e.name) : cloudEnvs.map((e) => e.name);
+        formatter.print(`   Environments: ${envNames.join(", ")}`);
+      } else {
+        formatter.print(`   Environments: none using cloud backend`);
+      }
+      const creds = readCloudCredentials();
+      if (creds) {
+        formatter.print(`   Auth:         authenticated`);
+        formatter.print(`   Endpoint:     ${creds.endpoint}`);
+      } else {
+        formatter.print(`   Auth:         not authenticated`);
+        formatter.hint("   Run 'clef cloud login' to authenticate.");
+      }
+      try {
+        const ks = resolveKeyservicePath();
+        formatter.print(`   Keyservice:   ${ks.source} (${ks.path})`);
+      } catch {
+        formatter.print(`   Keyservice:   not found`);
+        formatter.hint("   Install the cloud package: npm install @clef-sh/cloud");
+      }
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      formatter.error(message);
+      process.exit(1);
+    }
+  });
+  cloud.command("init").description("Set up Clef Cloud for an environment.").requiredOption("--env <environment>", "Target environment (e.g., production)").action(async (opts) => {
+    try {
+      const repoRoot = program.opts().dir || process.cwd();
+      const parser = new ManifestParser();
+      const manifest = parser.parse(path4.join(repoRoot, "clef.yaml"));
+      const targetEnv = manifest.environments.find((e) => e.name === opts.env);
+      if (!targetEnv) {
+        formatter.error(
+          `Environment '${opts.env}' not found in clef.yaml. Available: ${manifest.environments.map((e) => e.name).join(", ")}`
+        );
+        process.exit(1);
+        return;
+      }
+      if (targetEnv.sops?.backend === "cloud" && manifest.cloud) {
+        formatter.info(
+          `Environment '${opts.env}' is already using Cloud backend (${manifest.cloud.keyId}). Nothing to do.`
+        );
+        return;
+      }
+      let keyservicePath;
+      try {
+        keyservicePath = resolveKeyservicePath().path;
+      } catch {
+        formatter.error(
+          "Keyservice binary not found. Install the cloud package: npm install @clef-sh/cloud"
+        );
+        process.exit(1);
+        return;
+      }
+      formatter.print(`${sym("clef")}  Clef Cloud
+`);
+      const existingCreds = readCloudCredentials();
+      const cloudEndpoint = existingCreds?.endpoint ?? CLOUD_DEFAULT_ENDPOINT;
+      formatter.print(`   Endpoint:  ${cloudEndpoint}`);
+      formatter.print(
+        `   Creds:     ${existingCreds ? `authenticated=${existingCreds.refreshToken ? "yes" : "no"}, endpoint=${existingCreds.endpoint}` : "none"}`
+      );
+      let integrationId;
+      let keyId;
+      let deviceFlowAccessToken;
+      if (existingCreds && existingCreds.refreshToken && manifest.cloud) {
+        integrationId = manifest.cloud.integrationId;
+        keyId = manifest.cloud.keyId;
+        formatter.print(`   Using existing Cloud integration: ${keyId}`);
+      } else {
+        formatter.print(`   Opening browser to set up Cloud for ${opts.env}...`);
+        const session = await initiateDeviceFlow(cloudEndpoint, {
+          repoName: path4.basename(repoRoot),
+          environment: opts.env,
+          clientVersion: deps.cliVersion,
+          flow: "setup"
+        });
+        formatter.print(`   If the browser doesn't open, visit:
+   ${session.loginUrl}
+`);
+        await deps.openBrowser(session.loginUrl, runner);
+        formatter.print(`   Waiting for authorization... (press Ctrl+C to cancel)`);
+        const result = await pollUntilComplete(session.pollUrl);
+        if (result.status !== "complete" || !result.token || !result.integrationId || !result.keyId) {
+          formatter.error(
+            result.status === "expired" ? "Session expired. Run 'clef cloud init' again." : "Setup cancelled."
+          );
+          process.exit(1);
+          return;
+        }
+        integrationId = result.integrationId;
+        keyId = result.keyId;
+        const creds = {
+          refreshToken: result.token,
+          endpoint: existingCreds?.endpoint,
+          cognitoDomain: result.cognitoDomain,
+          clientId: result.clientId
+        };
+        if (result.accessToken && result.accessTokenExpiresIn) {
+          creds.accessToken = result.accessToken;
+          creds.accessTokenExpiry = Date.now() + result.accessTokenExpiresIn * 1e3;
+          deviceFlowAccessToken = result.accessToken;
+        }
+        writeCloudCredentials(creds);
+        formatter.success("Authorized");
+      }
+      formatter.print(`
+   Provisioning Cloud backend for ${opts.env}...`);
+      formatter.print(`   ${sym("success")}  KMS key provisioned: ${keyId}`);
+      formatter.print(`
+   Migrating ${opts.env} secrets to Cloud backend...`);
+      const cloudManifest = structuredClone(manifest);
+      cloudManifest.cloud = { integrationId, keyId };
+      const cloudEnv = cloudManifest.environments.find((e) => e.name === opts.env);
+      if (cloudEnv) {
+        cloudEnv.sops = { backend: "cloud" };
+      }
+      const matrixManager = new MatrixManager2();
+      const cells = matrixManager.resolveMatrix(manifest, repoRoot).filter((c) => c.environment === opts.env && c.exists);
+      if (cells.length === 0) {
+        formatter.print(`   No encrypted files found for ${opts.env}.`);
+      } else {
+        const ageSopsClient = await deps.createSopsClient(repoRoot, runner);
+        const { accessToken, endpoint: ksEndpoint } = deviceFlowAccessToken ? { accessToken: deviceFlowAccessToken, endpoint: cloudEndpoint } : await resolveAccessToken();
+        const ksHandle = await spawnKeyservice({
+          binaryPath: keyservicePath,
+          token: accessToken,
+          endpoint: ksEndpoint
+        });
+        try {
+          const cloudSopsClient = await deps.createSopsClient(repoRoot, runner, ksHandle.addr);
+          for (const cell of cells) {
+            const decrypted = await ageSopsClient.decrypt(cell.filePath);
+            await cloudSopsClient.encrypt(
+              cell.filePath,
+              decrypted.values,
+              cloudManifest,
+              cell.environment
+            );
+            const relPath = path4.relative(repoRoot, cell.filePath);
+            formatter.print(`   ${sym("success")}  ${relPath}`);
+          }
+          formatter.print(`
+   Verifying encrypted files...`);
+          for (const cell of cells) {
+            await cloudSopsClient.decrypt(cell.filePath);
+            const relPath = path4.relative(repoRoot, cell.filePath);
+            formatter.print(`   ${sym("success")}  ${relPath}`);
+          }
+        } finally {
+          await ksHandle.kill();
+        }
+      }
+      const rawManifest = readManifestYaml(repoRoot);
+      rawManifest.cloud = { integrationId, keyId };
+      const envs = rawManifest.environments;
+      const targetRawEnv = envs.find((e) => e.name === opts.env);
+      if (targetRawEnv) {
+        targetRawEnv.sops = { backend: "cloud" };
+      }
+      writeManifestYaml(repoRoot, rawManifest);
+      formatter.print(`
+   ${sym("success")}  Cloud setup complete.
+`);
+      formatter.print(`   Your ${opts.env} environment now uses Clef Cloud for encryption.`);
+      formatter.print(`   Other environments continue to use age keys locally.
+`);
+      formatter.hint("   Commit your changes: git add clef.yaml && git commit");
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      formatter.error(message);
+      process.exit(1);
+    }
+  });
+  cloud.command("login").description("Authenticate with Clef Cloud.").action(async () => {
+    try {
+      formatter.print(`${sym("clef")}  Clef Cloud
+`);
+      const existingCreds = readCloudCredentials();
+      const endpoint = existingCreds?.endpoint;
+      const session = await initiateDeviceFlow(endpoint, {
+        repoName: path4.basename(process.cwd()),
+        clientVersion: deps.cliVersion,
+        flow: "login"
+      });
+      formatter.print(`   Opening browser to log in...`);
+      formatter.print(`   If the browser doesn't open, visit:
+   ${session.loginUrl}
+`);
+      const opened = await deps.openBrowser(session.loginUrl, runner);
+      if (!opened) {
+        formatter.warn("Could not open browser automatically. Visit the URL above.");
+      }
+      formatter.print(`   Waiting for authorization... (press Ctrl+C to cancel)`);
+      const result = await pollUntilComplete(session.pollUrl);
+      if (result.status === "expired") {
+        formatter.error("Session expired. Run 'clef cloud login' again.");
+        process.exit(1);
+        return;
+      }
+      if (result.status === "cancelled") {
+        formatter.info("Login cancelled.");
+        return;
+      }
+      if (result.token) {
+        const creds = {
+          refreshToken: result.token,
+          endpoint,
+          cognitoDomain: result.cognitoDomain,
+          clientId: result.clientId
+        };
+        if (result.accessToken && result.accessTokenExpiresIn) {
+          creds.accessToken = result.accessToken;
+          creds.accessTokenExpiry = Date.now() + result.accessTokenExpiresIn * 1e3;
+        }
+        writeCloudCredentials(creds);
+        formatter.success("Logged in. Credentials saved to ~/.clef/credentials.yaml");
+      }
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      formatter.error(message);
+      process.exit(1);
+    }
+  });
+}
+async function pollUntilComplete(pollUrl) {
+  for (; ; ) {
+    const result = await pollDeviceFlow(pollUrl);
+    if (result.status === "complete" || result.status === "expired" || result.status === "cancelled") {
+      return result;
+    }
+    await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
+  }
+}
+export {
+  registerCloudCommands
+};
+//# sourceMappingURL=cli.mjs.map