@clef-sh/cloud 0.1.18-beta.85

package/dist/index.js

@@ -0,0 +1,522 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  CLOUD_DEFAULT_ENDPOINT: () => CLOUD_DEFAULT_ENDPOINT,
+  CloudApiError: () => CloudApiError,
+  CloudArtifactClient: () => CloudArtifactClient,
+  CloudClient: () => CloudClient,
+  CloudPackClient: () => CloudPackClient,
+  createCloudSopsClient: () => createCloudSopsClient,
+  initiateDeviceFlow: () => initiateDeviceFlow,
+  pollDeviceFlow: () => pollDeviceFlow,
+  readCloudCredentials: () => readCloudCredentials,
+  refreshAccessToken: () => refreshAccessToken,
+  resetKeyserviceResolution: () => resetKeyserviceResolution,
+  resolveAccessToken: () => resolveAccessToken,
+  resolveKeyservicePath: () => resolveKeyservicePath,
+  spawnKeyservice: () => spawnKeyservice,
+  writeCloudCredentials: () => writeCloudCredentials
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/keyservice.ts
+var import_child_process = require("child_process");
+var readline = __toESM(require("readline"));
+var PORT_REGEX = /^PORT=(\d+)$/;
+var STARTUP_TIMEOUT_MS = 5e3;
+var SHUTDOWN_TIMEOUT_MS = 3e3;
+async function spawnKeyservice(options) {
+  const args = ["--addr", "127.0.0.1:0"];
+  if (options.endpoint) {
+    args.push("--endpoint", options.endpoint);
+  }
+  const child = (0, import_child_process.spawn)(options.binaryPath, args, {
+    stdio: ["ignore", "pipe", "pipe"],
+    env: { ...process.env, CLEF_CLOUD_TOKEN: options.token }
+  });
+  const port = await readPort(child);
+  const addr = `tcp://127.0.0.1:${port}`;
+  return {
+    addr,
+    kill: () => killGracefully(child)
+  };
+}
+function readPort(child) {
+  return new Promise((resolve, reject) => {
+    let settled = false;
+    const rl = readline.createInterface({ input: child.stdout });
+    function settle() {
+      clearTimeout(timer);
+      rl.close();
+    }
+    const timer = setTimeout(() => {
+      if (!settled) {
+        settled = true;
+        settle();
+        child.kill("SIGKILL");
+        reject(new Error("Keyservice did not start within 5 seconds."));
+      }
+    }, STARTUP_TIMEOUT_MS);
+    rl.on("line", (line) => {
+      const match = PORT_REGEX.exec(line);
+      if (match && !settled) {
+        settled = true;
+        settle();
+        resolve(parseInt(match[1], 10));
+      }
+    });
+    child.on("error", (err) => {
+      if (!settled) {
+        settled = true;
+        settle();
+        reject(new Error(`Failed to start keyservice: ${err.message}`));
+      }
+    });
+    child.on("exit", (code) => {
+      if (!settled) {
+        settled = true;
+        settle();
+        reject(new Error(`Keyservice exited unexpectedly with code ${code}.`));
+      }
+    });
+  });
+}
+function killGracefully(child) {
+  return new Promise((resolve) => {
+    if (child.exitCode !== null) {
+      resolve();
+      return;
+    }
+    const timer = setTimeout(() => {
+      child.kill("SIGKILL");
+    }, SHUTDOWN_TIMEOUT_MS);
+    child.on("exit", () => {
+      clearTimeout(timer);
+      resolve();
+    });
+    child.kill("SIGTERM");
+  });
+}
+
+// src/resolver.ts
+var fs2 = __toESM(require("fs"));
+var path2 = __toESM(require("path"));
+
+// src/bundled.ts
+var fs = __toESM(require("fs"));
+var path = __toESM(require("path"));
+function tryBundledKeyservice() {
+  const platform = process.platform;
+  const arch = process.arch;
+  const archName = arch === "x64" ? "x64" : arch === "arm64" ? "arm64" : null;
+  if (!archName) return null;
+  const platformName = platform === "darwin" ? "darwin" : platform === "linux" ? "linux" : platform === "win32" ? "win32" : null;
+  if (!platformName) return null;
+  const packageName = `@clef-sh/keyservice-${platformName}-${archName}`;
+  const binName = platform === "win32" ? "clef-keyservice.exe" : "clef-keyservice";
+  try {
+    const packageMain = require.resolve(`${packageName}/package.json`);
+    const packageDir = path.dirname(packageMain);
+    const binPath = path.join(packageDir, "bin", binName);
+    return fs.existsSync(binPath) ? binPath : null;
+  } catch {
+    return null;
+  }
+}
+
+// src/resolver.ts
+function validateKeyservicePath(candidate) {
+  if (!path2.isAbsolute(candidate)) {
+    throw new Error(`CLEF_KEYSERVICE_PATH must be an absolute path, got '${candidate}'.`);
+  }
+  const segments = candidate.split(/[/\\]/);
+  if (segments.includes("..")) {
+    throw new Error(
+      `CLEF_KEYSERVICE_PATH contains '..' path segments ('${candidate}'). Use an absolute path without directory traversal.`
+    );
+  }
+}
+var cached;
+function resolveKeyservicePath() {
+  if (cached) return cached;
+  const envPath = process.env.CLEF_KEYSERVICE_PATH?.trim();
+  if (envPath) {
+    validateKeyservicePath(envPath);
+    if (!fs2.existsSync(envPath)) {
+      throw new Error(`CLEF_KEYSERVICE_PATH points to '${envPath}' but the file does not exist.`);
+    }
+    cached = { path: envPath, source: "env" };
+    return cached;
+  }
+  const bundledPath = tryBundledKeyservice();
+  if (bundledPath) {
+    cached = { path: bundledPath, source: "bundled" };
+    return cached;
+  }
+  cached = { path: "clef-keyservice", source: "system" };
+  return cached;
+}
+function resetKeyserviceResolution() {
+  cached = void 0;
+}
+
+// src/credentials.ts
+var fs3 = __toESM(require("fs"));
+var path3 = __toESM(require("path"));
+var os = __toESM(require("os"));
+var YAML = __toESM(require("yaml"));
+
+// src/constants.ts
+var CLOUD_DEFAULT_ENDPOINT = "https://api.clef.sh";
+
+// src/credentials.ts
+var CREDENTIALS_FILENAME = "credentials.yaml";
+function readCloudCredentials() {
+  const credPath = path3.join(os.homedir(), ".clef", CREDENTIALS_FILENAME);
+  let raw;
+  try {
+    raw = YAML.parse(fs3.readFileSync(credPath, "utf-8"));
+  } catch {
+    return null;
+  }
+  if (!raw || typeof raw !== "object") return null;
+  const obj = raw;
+  const refreshToken = typeof obj.refreshToken === "string" ? obj.refreshToken : "";
+  const accessToken = typeof obj.accessToken === "string" ? obj.accessToken : void 0;
+  const accessTokenExpiry = typeof obj.accessTokenExpiry === "number" ? obj.accessTokenExpiry : void 0;
+  const endpoint = typeof obj.endpoint === "string" ? obj.endpoint : CLOUD_DEFAULT_ENDPOINT;
+  const cognitoDomain = typeof obj.cognitoDomain === "string" ? obj.cognitoDomain : void 0;
+  const clientId = typeof obj.clientId === "string" ? obj.clientId : void 0;
+  if (!refreshToken && endpoint === CLOUD_DEFAULT_ENDPOINT) return null;
+  return { refreshToken, accessToken, accessTokenExpiry, endpoint, cognitoDomain, clientId };
+}
+function writeCloudCredentials(credentials) {
+  const clefDir = path3.join(os.homedir(), ".clef");
+  fs3.mkdirSync(clefDir, { recursive: true, mode: 448 });
+  const credPath = path3.join(clefDir, CREDENTIALS_FILENAME);
+  const content = Object.fromEntries(
+    Object.entries(credentials).filter(([, v]) => v !== void 0)
+  );
+  fs3.writeFileSync(credPath, YAML.stringify(content), { mode: 384 });
+}
+
+// src/device-flow.ts
+async function initiateDeviceFlow(endpoint, options) {
+  const base = endpoint ?? CLOUD_DEFAULT_ENDPOINT;
+  const payload = {
+    clientType: "cli",
+    clientVersion: options.clientVersion,
+    repoName: options.repoName,
+    flow: options.flow
+  };
+  if (options.environment) {
+    payload.environment = options.environment;
+  }
+  let res;
+  try {
+    res = await fetch(`${base}/api/v1/device/init`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(payload)
+    });
+  } catch (err) {
+    const cause = err instanceof Error ? err.cause : void 0;
+    const reason = cause instanceof Error ? cause.message : err instanceof Error ? err.message : String(err);
+    throw new Error(`Could not reach Clef Cloud at ${base}: ${reason}`);
+  }
+  if (!res.ok) {
+    const body = await res.text().catch(() => "");
+    throw new Error(`Device flow init failed (${res.status}): ${body}`);
+  }
+  const json = await res.json();
+  const session = json.data ?? json;
+  if (session.pollUrl && !session.pollUrl.startsWith("http")) {
+    session.pollUrl = `${base}${session.pollUrl}`;
+  }
+  return session;
+}
+async function pollDeviceFlow(pollUrl) {
+  let res;
+  try {
+    res = await fetch(pollUrl);
+  } catch (err) {
+    const cause = err instanceof Error ? err.cause : void 0;
+    const reason = cause instanceof Error ? cause.message : err instanceof Error ? err.message : String(err);
+    throw new Error(`Could not reach Clef Cloud poll endpoint: ${reason}`);
+  }
+  if (!res.ok) {
+    const body = await res.text().catch(() => "");
+    throw new Error(`Device flow poll failed (${res.status}): ${body}`);
+  }
+  const json = await res.json();
+  return json.data ?? json;
+}
+
+// src/pack-client.ts
+var fs4 = __toESM(require("fs"));
+var path4 = __toESM(require("path"));
+var import_core = require("@clef-sh/core");
+var CloudPackClient = class {
+  endpoint;
+  constructor(endpoint) {
+    this.endpoint = endpoint ?? CLOUD_DEFAULT_ENDPOINT;
+  }
+  async pack(token, config) {
+    const matrixManager = new import_core.MatrixManager();
+    const cells = matrixManager.resolveMatrix(config.manifest, config.repoRoot).filter((c) => c.environment === config.environment && c.exists);
+    const formData = new FormData();
+    const configJson = JSON.stringify({
+      identity: config.identity,
+      environment: config.environment,
+      ...config.ttl ? { ttl: config.ttl } : {}
+    });
+    formData.append("config", new Blob([configJson], { type: "application/json" }));
+    const manifestPath = path4.join(config.repoRoot, "clef.yaml");
+    const manifestContent = fs4.readFileSync(manifestPath, "utf-8");
+    formData.append("manifest", new Blob([manifestContent], { type: "text/yaml" }));
+    for (const cell of cells) {
+      const relPath = path4.relative(config.repoRoot, cell.filePath);
+      const content = fs4.readFileSync(cell.filePath, "utf-8");
+      formData.append(`files`, new Blob([content], { type: "text/yaml" }), relPath);
+    }
+    const res = await fetch(`${this.endpoint}/api/v1/cloud/pack`, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${token}` },
+      body: formData
+    });
+    if (!res.ok) {
+      const body = await res.text().catch(() => "");
+      throw new Error(`Cloud pack failed (${res.status}): ${body}`);
+    }
+    return await res.json();
+  }
+};
+var CloudArtifactClient = class {
+  endpoint;
+  constructor(endpoint) {
+    this.endpoint = endpoint ?? CLOUD_DEFAULT_ENDPOINT;
+  }
+  async upload(token, config) {
+    const res = await fetch(
+      `${this.endpoint}/api/v1/cloud/artifacts/${config.identity}/${config.environment}`,
+      {
+        method: "PUT",
+        headers: {
+          Authorization: `Bearer ${token}`,
+          "Content-Type": "application/json"
+        },
+        body: config.artifactJson
+      }
+    );
+    if (!res.ok) {
+      const body = await res.text().catch(() => "");
+      throw new Error(`Artifact upload failed (${res.status}): ${body}`);
+    }
+  }
+};
+
+// src/token-refresh.ts
+async function refreshAccessToken(config) {
+  const url = `${config.cognitoDomain}/oauth2/token`;
+  const body = new URLSearchParams({
+    grant_type: "refresh_token",
+    client_id: config.clientId,
+    refresh_token: config.refreshToken
+  });
+  const res = await fetch(url, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: body.toString()
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    if (res.status === 400 && text.includes("invalid_grant")) {
+      throw new Error(
+        "Refresh token expired or revoked. Run 'clef cloud login' to re-authenticate."
+      );
+    }
+    throw new Error(`Token refresh failed (${res.status}): ${text}`);
+  }
+  const data = await res.json();
+  return {
+    accessToken: data.access_token,
+    idToken: data.id_token,
+    expiresIn: data.expires_in
+  };
+}
+
+// src/sops.ts
+async function resolveAccessToken() {
+  const clefToken = process.env.CLEF_TOKEN;
+  if (clefToken) {
+    const creds2 = readCloudCredentials();
+    return { accessToken: clefToken, endpoint: creds2?.endpoint };
+  }
+  const creds = readCloudCredentials();
+  const refreshToken = process.env.CLEF_CLOUD_REFRESH_TOKEN ?? creds?.refreshToken;
+  if (!refreshToken) {
+    throw new Error("Not authenticated. Run 'clef cloud login' to connect to Clef Cloud.");
+  }
+  if (creds?.accessToken && creds?.accessTokenExpiry && Date.now() < creds.accessTokenExpiry - 6e4) {
+    return { accessToken: creds.accessToken, endpoint: creds?.endpoint };
+  }
+  if (!creds?.cognitoDomain || !creds?.clientId) {
+    throw new Error("Missing Cognito configuration. Run 'clef cloud login' to re-authenticate.");
+  }
+  const result = await refreshAccessToken({
+    cognitoDomain: creds.cognitoDomain,
+    clientId: creds.clientId,
+    refreshToken
+  });
+  writeCloudCredentials({
+    ...creds,
+    refreshToken,
+    accessToken: result.accessToken,
+    accessTokenExpiry: Date.now() + result.expiresIn * 1e3
+  });
+  return { accessToken: result.accessToken, endpoint: creds?.endpoint };
+}
+async function createCloudSopsClient(repoRoot, runner, createSopsClient) {
+  const { accessToken, endpoint } = await resolveAccessToken();
+  const binaryPath = resolveKeyservicePath().path;
+  const handle = await spawnKeyservice({
+    binaryPath,
+    token: accessToken,
+    endpoint
+  });
+  const client = await createSopsClient(repoRoot, runner, handle.addr);
+  return {
+    client,
+    cleanup: () => handle.kill()
+  };
+}
+
+// src/types.ts
+var CloudApiError = class extends Error {
+  constructor(message, statusCode, fix) {
+    super(message);
+    this.statusCode = statusCode;
+    this.fix = fix;
+    this.name = "CloudApiError";
+  }
+  statusCode;
+  fix;
+};
+
+// src/report-client.ts
+var DEFAULT_RETRY_DELAY_MS = 1e3;
+var CloudClient = class {
+  retryDelayMs;
+  constructor(options) {
+    this.retryDelayMs = options?.retryDelayMs ?? DEFAULT_RETRY_DELAY_MS;
+  }
+  async fetchIntegration(apiUrl, apiKey, integrationId) {
+    const url = `${apiUrl}/api/v1/integrations/${encodeURIComponent(integrationId)}`;
+    return this.request("GET", url, apiKey);
+  }
+  async submitReport(apiUrl, apiKey, report) {
+    const url = `${apiUrl}/api/v1/reports`;
+    return this.request("POST", url, apiKey, report);
+  }
+  async submitBatchReports(apiUrl, apiKey, batch) {
+    const url = `${apiUrl}/api/v1/reports/batch`;
+    return this.request("POST", url, apiKey, batch);
+  }
+  async request(method, url, apiKey, body) {
+    const headers = {
+      Authorization: `Bearer ${apiKey}`,
+      "Content-Type": "application/json"
+    };
+    const init = {
+      method,
+      headers,
+      ...body !== void 0 ? { body: JSON.stringify(body) } : {}
+    };
+    let response;
+    try {
+      response = await fetch(url, init);
+    } catch {
+      await this.delay(this.retryDelayMs);
+      try {
+        response = await fetch(url, init);
+      } catch (retryErr) {
+        throw new CloudApiError(
+          `Network error contacting Clef Cloud: ${retryErr.message}`,
+          0,
+          "Check your network connection and CLEF_API_URL."
+        );
+      }
+    }
+    if (response.ok) {
+      return await response.json();
+    }
+    if (response.status >= 500 && response.status < 600) {
+      await this.delay(this.retryDelayMs);
+      const retryResponse = await fetch(url, init);
+      if (retryResponse.ok) {
+        return await retryResponse.json();
+      }
+      throw this.buildError(retryResponse);
+    }
+    throw this.buildError(response);
+  }
+  buildError(response) {
+    const hint = response.status === 401 || response.status === 403 ? "Check your API token (--api-token or CLEF_API_TOKEN)." : response.status === 404 ? "Check your cloud.integrationId in clef.yaml." : void 0;
+    return new CloudApiError(
+      `Clef Cloud API returned ${response.status} ${response.statusText}`,
+      response.status,
+      hint
+    );
+  }
+  delay(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  CLOUD_DEFAULT_ENDPOINT,
+  CloudApiError,
+  CloudArtifactClient,
+  CloudClient,
+  CloudPackClient,
+  createCloudSopsClient,
+  initiateDeviceFlow,
+  pollDeviceFlow,
+  readCloudCredentials,
+  refreshAccessToken,
+  resetKeyserviceResolution,
+  resolveAccessToken,
+  resolveKeyservicePath,
+  spawnKeyservice,
+  writeCloudCredentials
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../src/index.ts", "../src/keyservice.ts", "../src/resolver.ts", "../src/bundled.ts", "../src/credentials.ts", "../src/constants.ts", "../src/device-flow.ts", "../src/pack-client.ts", "../src/token-refresh.ts", "../src/sops.ts", "../src/types.ts", "../src/report-client.ts"],
+  "sourcesContent": ["/**\n * @clef-sh/cloud \u2014 Clef Cloud integration.\n *\n * Managed KMS backend, device-flow authentication, artifact hosting,\n * and keyservice sidecar management. Requires @clef-sh/core as a peer.\n *\n * This package is optional \u2014 the core Clef CLI works without it.\n * Install it to enable `clef cloud init` and the Cloud encryption backend.\n */\n\nexport type { ClefCloudCredentials } from \"./types\";\nexport { spawnKeyservice } from \"./keyservice\";\nexport type { KeyserviceHandle } from \"./keyservice\";\nexport { resolveKeyservicePath, resetKeyserviceResolution } from \"./resolver\";\nexport type { KeyserviceResolution, KeyserviceSource } from \"./resolver\";\nexport { readCloudCredentials, writeCloudCredentials } from \"./credentials\";\nexport { initiateDeviceFlow, pollDeviceFlow } from \"./device-flow\";\nexport type { DeviceSession, DevicePollResult, DeviceFlowType } from \"./device-flow\";\nexport { CloudPackClient, CloudArtifactClient } from \"./pack-client\";\nexport type { RemotePackConfig, RemotePackResult } from \"./pack-client\";\nexport { CLOUD_DEFAULT_ENDPOINT } from \"./constants\";\nexport { refreshAccessToken } from \"./token-refresh\";\nexport type { TokenRefreshConfig, TokenRefreshResult } from \"./token-refresh\";\nexport { createCloudSopsClient, resolveAccessToken } from \"./sops\";\nexport type { CloudSopsResult, CreateSopsClientFn } from \"./sops\";\nexport { CloudClient } from \"./report-client\";\nexport type {\n  CloudApiReport,\n  CloudBatchPayload,\n  CloudBatchResponse,\n  CloudIntegrationResponse,\n  CloudReportResponse,\n  CloudReportSummary,\n  CloudReportDrift,\n  CloudReportCell,\n  CloudCellHealthStatus,\n  CloudPolicyResult,\n  CloudCIContext,\n} from \"./types\";\nexport { CloudApiError } from \"./types\";\n", "/**\n * Manages the clef-keyservice sidecar lifecycle: spawn, port discovery, graceful shutdown.\n *\n * The keyservice binary is a localhost gRPC server that proxies KMS encrypt/decrypt\n * operations to the Cloud API. The CLI spawns it per command and kills it when done.\n */\nimport { spawn, type ChildProcess } from \"child_process\";\nimport * as readline from \"readline\";\n\nexport interface KeyserviceHandle {\n  /** Address for SOPS --keyservice flag, e.g. \"tcp://127.0.0.1:12345\". */\n  addr: string;\n  /** Gracefully stop the keyservice process. */\n  kill(): Promise<void>;\n}\n\nconst PORT_REGEX = /^PORT=(\\d+)$/;\nconst STARTUP_TIMEOUT_MS = 5000;\nconst SHUTDOWN_TIMEOUT_MS = 3000;\n\n/**\n * Spawn a clef-keyservice sidecar process and wait for it to report its port.\n *\n * @param options.binaryPath - Absolute path to the clef-keyservice binary.\n * @param options.token - Cloud bearer token for API authentication.\n * @param options.endpoint - Optional Cloud API endpoint override.\n * @returns A handle with the keyservice address and a kill function.\n */\nexport async function spawnKeyservice(options: {\n  binaryPath: string;\n  token: string;\n  endpoint?: string;\n}): Promise<KeyserviceHandle> {\n  const args = [\"--addr\", \"127.0.0.1:0\"];\n  if (options.endpoint) {\n    args.push(\"--endpoint\", options.endpoint);\n  }\n\n  // Token passed via env var \u2014 CLI args are visible in /proc/<pid>/cmdline\n  const child = spawn(options.binaryPath, args, {\n    stdio: [\"ignore\", \"pipe\", \"pipe\"],\n    env: { ...process.env, CLEF_CLOUD_TOKEN: options.token },\n  });\n\n  const port = await readPort(child);\n  const addr = `tcp://127.0.0.1:${port}`;\n\n  return {\n    addr,\n    kill: () => killGracefully(child),\n  };\n}\n\nfunction readPort(child: ChildProcess): Promise<number> {\n  return new Promise((resolve, reject) => {\n    let settled = false;\n\n    const rl = readline.createInterface({ input: child.stdout! });\n\n    function settle() {\n      clearTimeout(timer);\n      rl.close();\n    }\n\n    const timer = setTimeout(() => {\n      if (!settled) {\n        settled = true;\n        settle();\n        child.kill(\"SIGKILL\");\n        reject(new Error(\"Keyservice did not start within 5 seconds.\"));\n      }\n    }, STARTUP_TIMEOUT_MS);\n\n    rl.on(\"line\", (line) => {\n      const match = PORT_REGEX.exec(line);\n      if (match && !settled) {\n        settled = true;\n        settle();\n        resolve(parseInt(match[1], 10));\n      }\n    });\n\n    child.on(\"error\", (err) => {\n      if (!settled) {\n        settled = true;\n        settle();\n        reject(new Error(`Failed to start keyservice: ${err.message}`));\n      }\n    });\n\n    child.on(\"exit\", (code) => {\n      if (!settled) {\n        settled = true;\n        settle();\n        reject(new Error(`Keyservice exited unexpectedly with code ${code}.`));\n      }\n    });\n  });\n}\n\nfunction killGracefully(child: ChildProcess): Promise<void> {\n  return new Promise((resolve) => {\n    if (child.exitCode !== null) {\n      resolve();\n      return;\n    }\n    const timer = setTimeout(() => {\n      child.kill(\"SIGKILL\");\n    }, SHUTDOWN_TIMEOUT_MS);\n    child.on(\"exit\", () => {\n      clearTimeout(timer);\n      resolve();\n    });\n    child.kill(\"SIGTERM\");\n  });\n}\n", "/**\n * Resolves the path to the `clef-keyservice` binary using a three-tier resolution chain:\n *\n *   1. `CLEF_KEYSERVICE_PATH` environment variable (explicit user override)\n *   2. Bundled platform-specific package (`@clef-sh/keyservice-{os}-{arch}`)\n *   3. System PATH fallback (bare `\"clef-keyservice\"` command name)\n *\n * Mirrors the resolution pattern in sops/resolver.ts.\n */\nimport * as fs from \"fs\";\nimport * as path from \"path\";\nimport { tryBundledKeyservice } from \"./bundled\";\n\nfunction validateKeyservicePath(candidate: string): void {\n  if (!path.isAbsolute(candidate)) {\n    throw new Error(`CLEF_KEYSERVICE_PATH must be an absolute path, got '${candidate}'.`);\n  }\n  const segments = candidate.split(/[/\\\\]/);\n  if (segments.includes(\"..\")) {\n    throw new Error(\n      `CLEF_KEYSERVICE_PATH contains '..' path segments ('${candidate}'). ` +\n        \"Use an absolute path without directory traversal.\",\n    );\n  }\n}\n\nexport type KeyserviceSource = \"env\" | \"bundled\" | \"system\";\n\nexport interface KeyserviceResolution {\n  /** Absolute path to the keyservice binary, or \"clef-keyservice\" for system PATH fallback. */\n  path: string;\n  /** How the binary was located. */\n  source: KeyserviceSource;\n}\n\nlet cached: KeyserviceResolution | undefined;\n\n/**\n * Resolve the clef-keyservice binary path.\n *\n * Resolution order:\n *   1. `CLEF_KEYSERVICE_PATH` env var \u2014 explicit override, used as-is\n *   2. Bundled `@clef-sh/keyservice-{platform}-{arch}` package\n *   3. System PATH fallback \u2014 returns bare `\"clef-keyservice\"`\n *\n * The result is cached module-wide. Call {@link resetKeyserviceResolution} in tests\n * to clear the cache.\n */\nexport function resolveKeyservicePath(): KeyserviceResolution {\n  if (cached) return cached;\n\n  // 1. Explicit environment override\n  const envPath = process.env.CLEF_KEYSERVICE_PATH?.trim();\n  if (envPath) {\n    validateKeyservicePath(envPath);\n    if (!fs.existsSync(envPath)) {\n      throw new Error(`CLEF_KEYSERVICE_PATH points to '${envPath}' but the file does not exist.`);\n    }\n    cached = { path: envPath, source: \"env\" };\n    return cached;\n  }\n\n  // 2. Bundled platform package\n  const bundledPath = tryBundledKeyservice();\n  if (bundledPath) {\n    cached = { path: bundledPath, source: \"bundled\" };\n    return cached;\n  }\n\n  // 3. System PATH fallback\n  cached = { path: \"clef-keyservice\", source: \"system\" };\n  return cached;\n}\n\n/**\n * Clear the cached resolution. Only intended for use in tests.\n */\nexport function resetKeyserviceResolution(): void {\n  cached = undefined;\n}\n", "/**\n * Locates the bundled clef-keyservice binary from the platform-specific npm package.\n * Mirrors sops/bundled.ts \u2014 extracted for testability.\n */\nimport * as fs from \"fs\";\nimport * as path from \"path\";\n\n/**\n * Try to locate the bundled keyservice binary from the platform-specific npm package.\n * Returns the resolved path or null if the package is not installed.\n */\nexport function tryBundledKeyservice(): string | null {\n  const platform = process.platform;\n  const arch = process.arch;\n\n  const archName = arch === \"x64\" ? \"x64\" : arch === \"arm64\" ? \"arm64\" : null;\n  if (!archName) return null;\n\n  const platformName =\n    platform === \"darwin\"\n      ? \"darwin\"\n      : platform === \"linux\"\n        ? \"linux\"\n        : platform === \"win32\"\n          ? \"win32\"\n          : null;\n  if (!platformName) return null;\n\n  const packageName = `@clef-sh/keyservice-${platformName}-${archName}`;\n  const binName = platform === \"win32\" ? \"clef-keyservice.exe\" : \"clef-keyservice\";\n\n  try {\n    const packageMain = require.resolve(`${packageName}/package.json`);\n    const packageDir = path.dirname(packageMain);\n    const binPath = path.join(packageDir, \"bin\", binName);\n    return fs.existsSync(binPath) ? binPath : null;\n  } catch {\n    return null;\n  }\n}\n", "import * as fs from \"fs\";\nimport * as path from \"path\";\nimport * as os from \"os\";\nimport * as YAML from \"yaml\";\nimport type { ClefCloudCredentials } from \"./types\";\nimport { CLOUD_DEFAULT_ENDPOINT } from \"./constants\";\n\nconst CREDENTIALS_FILENAME = \"credentials.yaml\";\n\n/**\n * Read Cloud credentials from ~/.clef/credentials.yaml.\n * Returns null if the file does not exist or is malformed.\n */\nexport function readCloudCredentials(): ClefCloudCredentials | null {\n  const credPath = path.join(os.homedir(), \".clef\", CREDENTIALS_FILENAME);\n\n  let raw: unknown;\n  try {\n    raw = YAML.parse(fs.readFileSync(credPath, \"utf-8\"));\n  } catch {\n    return null;\n  }\n\n  if (!raw || typeof raw !== \"object\") return null;\n  const obj = raw as Record<string, unknown>;\n\n  const refreshToken = typeof obj.refreshToken === \"string\" ? obj.refreshToken : \"\";\n  const accessToken = typeof obj.accessToken === \"string\" ? obj.accessToken : undefined;\n  const accessTokenExpiry =\n    typeof obj.accessTokenExpiry === \"number\" ? obj.accessTokenExpiry : undefined;\n  const endpoint = typeof obj.endpoint === \"string\" ? obj.endpoint : CLOUD_DEFAULT_ENDPOINT;\n  const cognitoDomain = typeof obj.cognitoDomain === \"string\" ? obj.cognitoDomain : undefined;\n  const clientId = typeof obj.clientId === \"string\" ? obj.clientId : undefined;\n\n  if (!refreshToken && endpoint === CLOUD_DEFAULT_ENDPOINT) return null;\n\n  return { refreshToken, accessToken, accessTokenExpiry, endpoint, cognitoDomain, clientId };\n}\n\n/**\n * Write Cloud credentials to ~/.clef/credentials.yaml.\n * Creates ~/.clef/ with mode 0700 if it doesn't exist.\n * File is written with mode 0600 (owner read/write only).\n */\nexport function writeCloudCredentials(credentials: ClefCloudCredentials): void {\n  const clefDir = path.join(os.homedir(), \".clef\");\n  fs.mkdirSync(clefDir, { recursive: true, mode: 0o700 });\n  const credPath = path.join(clefDir, CREDENTIALS_FILENAME);\n\n  const content = Object.fromEntries(\n    Object.entries(credentials).filter(([, v]) => v !== undefined),\n  );\n\n  fs.writeFileSync(credPath, YAML.stringify(content), { mode: 0o600 });\n}\n", "export const CLOUD_DEFAULT_ENDPOINT = \"https://api.clef.sh\";\n", "/**\n * Device flow client for Clef Cloud authentication.\n *\n * The CLI initiates a device flow session, opens the browser to the login URL,\n * and polls until the user completes auth + payment. Same pattern as\n * `gh auth login` and Claude Code.\n */\nimport { CLOUD_DEFAULT_ENDPOINT } from \"./constants\";\n\nexport interface DeviceSession {\n  sessionId: string;\n  loginUrl: string;\n  pollUrl: string;\n  /** Session lifetime in seconds. */\n  expiresIn: number;\n}\n\nexport type DeviceFlowType = \"login\" | \"setup\";\n\nexport interface DevicePollResult {\n  status: \"pending\" | \"awaiting_payment\" | \"complete\" | \"cancelled\" | \"expired\";\n  /** Cognito refresh token. Present when status is \"complete\". */\n  token?: string;\n  /** Cognito access token. Present when status is \"complete\". */\n  accessToken?: string;\n  /** Access token lifetime in seconds. Present alongside accessToken. */\n  accessTokenExpiresIn?: number;\n  /** Present when status is \"complete\". */\n  integrationId?: string;\n  /** Present when status is \"complete\". */\n  keyId?: string;\n  /** Cognito OAuth2 domain URL for token refresh. Present when status is \"complete\". */\n  cognitoDomain?: string;\n  /** CLI Cognito app client ID. Present when status is \"complete\". */\n  clientId?: string;\n}\n\n/**\n * Initiate a device flow session with the Cloud API.\n *\n * @param endpoint - Cloud API base URL. Defaults to https://api.clef.sh.\n * @param options - Session metadata carried into the browser flow.\n * @returns The session with a login URL to open in the browser.\n */\nexport async function initiateDeviceFlow(\n  endpoint: string | undefined,\n  options: {\n    repoName: string;\n    environment?: string;\n    clientVersion: string;\n    flow: DeviceFlowType;\n  },\n): Promise<DeviceSession> {\n  const base = endpoint ?? CLOUD_DEFAULT_ENDPOINT;\n  const payload: Record<string, string> = {\n    clientType: \"cli\",\n    clientVersion: options.clientVersion,\n    repoName: options.repoName,\n    flow: options.flow,\n  };\n  if (options.environment) {\n    payload.environment = options.environment;\n  }\n  let res: Response;\n  try {\n    res = await fetch(`${base}/api/v1/device/init`, {\n      method: \"POST\",\n      headers: { \"Content-Type\": \"application/json\" },\n      body: JSON.stringify(payload),\n    });\n  } catch (err) {\n    const cause = err instanceof Error ? (err as Error & { cause?: unknown }).cause : undefined;\n    const reason =\n      cause instanceof Error ? cause.message : err instanceof Error ? err.message : String(err);\n    throw new Error(`Could not reach Clef Cloud at ${base}: ${reason}`);\n  }\n\n  if (!res.ok) {\n    const body = await res.text().catch(() => \"\");\n    throw new Error(`Device flow init failed (${res.status}): ${body}`);\n  }\n\n  const json = await res.json();\n  // Support both { data: { ... } } (saas API) and flat { ... } formats\n  const session = (json.data ?? json) as DeviceSession;\n\n  // The API may return a relative pollUrl \u2014 resolve it against the base\n  if (session.pollUrl && !session.pollUrl.startsWith(\"http\")) {\n    session.pollUrl = `${base}${session.pollUrl}`;\n  }\n\n  return session;\n}\n\n/**\n * Poll a device flow session for completion.\n *\n * @param pollUrl - The full poll URL returned by {@link initiateDeviceFlow}.\n * @returns The current session state.\n */\nexport async function pollDeviceFlow(pollUrl: string): Promise<DevicePollResult> {\n  let res: Response;\n  try {\n    res = await fetch(pollUrl);\n  } catch (err) {\n    const cause = err instanceof Error ? (err as Error & { cause?: unknown }).cause : undefined;\n    const reason =\n      cause instanceof Error ? cause.message : err instanceof Error ? err.message : String(err);\n    throw new Error(`Could not reach Clef Cloud poll endpoint: ${reason}`);\n  }\n\n  if (!res.ok) {\n    const body = await res.text().catch(() => \"\");\n    throw new Error(`Device flow poll failed (${res.status}): ${body}`);\n  }\n\n  const json = await res.json();\n  return (json.data ?? json) as DevicePollResult;\n}\n", "/**\n * HTTP client for the Cloud pack endpoint.\n *\n * Used by `clef pack --remote` to send encrypted files to Cloud for packing.\n */\nimport * as fs from \"fs\";\nimport * as path from \"path\";\nimport type { ClefManifest, MatrixCell } from \"@clef-sh/core\";\nimport { MatrixManager } from \"@clef-sh/core\";\nimport { CLOUD_DEFAULT_ENDPOINT } from \"./constants\";\n\nexport interface RemotePackConfig {\n  identity: string;\n  environment: string;\n  manifest: ClefManifest;\n  repoRoot: string;\n  ttl?: number;\n}\n\nexport interface RemotePackResult {\n  revision: string;\n  artifactSize: number;\n  identity: string;\n  environment: string;\n}\n\nexport class CloudPackClient {\n  private readonly endpoint: string;\n\n  constructor(endpoint?: string) {\n    this.endpoint = endpoint ?? CLOUD_DEFAULT_ENDPOINT;\n  }\n\n  async pack(token: string, config: RemotePackConfig): Promise<RemotePackResult> {\n    const matrixManager = new MatrixManager();\n    const cells = matrixManager\n      .resolveMatrix(config.manifest, config.repoRoot)\n      .filter((c: MatrixCell) => c.environment === config.environment && c.exists);\n\n    const formData = new FormData();\n\n    const configJson = JSON.stringify({\n      identity: config.identity,\n      environment: config.environment,\n      ...(config.ttl ? { ttl: config.ttl } : {}),\n    });\n    formData.append(\"config\", new Blob([configJson], { type: \"application/json\" }));\n\n    const manifestPath = path.join(config.repoRoot, \"clef.yaml\");\n    const manifestContent = fs.readFileSync(manifestPath, \"utf-8\");\n    formData.append(\"manifest\", new Blob([manifestContent], { type: \"text/yaml\" }));\n\n    for (const cell of cells) {\n      const relPath = path.relative(config.repoRoot, cell.filePath);\n      const content = fs.readFileSync(cell.filePath, \"utf-8\");\n      formData.append(`files`, new Blob([content], { type: \"text/yaml\" }), relPath);\n    }\n\n    const res = await fetch(`${this.endpoint}/api/v1/cloud/pack`, {\n      method: \"POST\",\n      headers: { Authorization: `Bearer ${token}` },\n      body: formData,\n    });\n\n    if (!res.ok) {\n      const body = await res.text().catch(() => \"\");\n      throw new Error(`Cloud pack failed (${res.status}): ${body}`);\n    }\n\n    return (await res.json()) as RemotePackResult;\n  }\n}\n\n/**\n * HTTP client for uploading a locally-packed artifact to Cloud.\n *\n * Used by `clef pack --push`.\n */\nexport class CloudArtifactClient {\n  private readonly endpoint: string;\n\n  constructor(endpoint?: string) {\n    this.endpoint = endpoint ?? CLOUD_DEFAULT_ENDPOINT;\n  }\n\n  async upload(\n    token: string,\n    config: { identity: string; environment: string; artifactJson: string },\n  ): Promise<void> {\n    const res = await fetch(\n      `${this.endpoint}/api/v1/cloud/artifacts/${config.identity}/${config.environment}`,\n      {\n        method: \"PUT\",\n        headers: {\n          Authorization: `Bearer ${token}`,\n          \"Content-Type\": \"application/json\",\n        },\n        body: config.artifactJson,\n      },\n    );\n\n    if (!res.ok) {\n      const body = await res.text().catch(() => \"\");\n      throw new Error(`Artifact upload failed (${res.status}): ${body}`);\n    }\n  }\n}\n", "/**\n * Cognito token refresh via the OAuth2 token endpoint.\n *\n * Uses plain HTTP \u2014 no AWS SDK dependency. The Cognito token endpoint\n * accepts refresh tokens and returns fresh access tokens.\n */\n\nexport interface TokenRefreshConfig {\n  cognitoDomain: string;\n  clientId: string;\n  refreshToken: string;\n}\n\nexport interface TokenRefreshResult {\n  accessToken: string;\n  idToken: string;\n  expiresIn: number;\n}\n\n/**\n * Refresh a Cognito access token using a refresh token.\n *\n * Calls the Cognito OAuth2 token endpoint directly:\n *   POST https://<domain>.auth.<region>.amazoncognito.com/oauth2/token\n *\n * @returns Fresh access token, ID token, and expiry (seconds).\n * @throws If the refresh token is expired or invalid.\n */\nexport async function refreshAccessToken(config: TokenRefreshConfig): Promise<TokenRefreshResult> {\n  const url = `${config.cognitoDomain}/oauth2/token`;\n\n  const body = new URLSearchParams({\n    grant_type: \"refresh_token\",\n    client_id: config.clientId,\n    refresh_token: config.refreshToken,\n  });\n\n  const res = await fetch(url, {\n    method: \"POST\",\n    headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n    body: body.toString(),\n  });\n\n  if (!res.ok) {\n    const text = await res.text().catch(() => \"\");\n    if (res.status === 400 && text.includes(\"invalid_grant\")) {\n      throw new Error(\n        \"Refresh token expired or revoked. Run 'clef cloud login' to re-authenticate.\",\n      );\n    }\n    throw new Error(`Token refresh failed (${res.status}): ${text}`);\n  }\n\n  const data = (await res.json()) as {\n    access_token: string;\n    id_token: string;\n    expires_in: number;\n    token_type: string;\n  };\n\n  return {\n    accessToken: data.access_token,\n    idToken: data.id_token,\n    expiresIn: data.expires_in,\n  };\n}\n", "/**\n * Cloud-aware SopsClient factory.\n *\n * Spawns the keyservice sidecar and creates a SopsClient with the keyservice\n * address for cloud backend decrypt/encrypt operations.\n */\nimport { SopsClient, SubprocessRunner } from \"@clef-sh/core\";\nimport { readCloudCredentials, writeCloudCredentials } from \"./credentials\";\nimport { resolveKeyservicePath } from \"./resolver\";\nimport { spawnKeyservice } from \"./keyservice\";\nimport { refreshAccessToken } from \"./token-refresh\";\n\nexport interface CloudSopsResult {\n  client: SopsClient;\n  cleanup: () => Promise<void>;\n}\n\nexport type CreateSopsClientFn = (\n  repoRoot: string,\n  runner: SubprocessRunner,\n  keyserviceAddr?: string,\n) => Promise<SopsClient>;\n\n/**\n * Resolve a fresh Cognito access token.\n *\n * Priority:\n *   1. CLEF_CLOUD_REFRESH_TOKEN env var (CI)\n *   2. ~/.clef/credentials.yaml refreshToken (interactive)\n *\n * If a cached access token exists and hasn't expired, returns it.\n * Otherwise refreshes via the Cognito token endpoint.\n */\nexport async function resolveAccessToken(): Promise<{ accessToken: string; endpoint?: string }> {\n  // Service account token \u2014 used in CI, no refresh needed\n  const clefToken = process.env.CLEF_TOKEN;\n  if (clefToken) {\n    const creds = readCloudCredentials();\n    return { accessToken: clefToken, endpoint: creds?.endpoint };\n  }\n\n  const creds = readCloudCredentials();\n  const refreshToken = process.env.CLEF_CLOUD_REFRESH_TOKEN ?? creds?.refreshToken;\n\n  if (!refreshToken) {\n    throw new Error(\"Not authenticated. Run 'clef cloud login' to connect to Clef Cloud.\");\n  }\n\n  // Return cached access token if still valid (before checking Cognito config)\n  if (\n    creds?.accessToken &&\n    creds?.accessTokenExpiry &&\n    Date.now() < creds.accessTokenExpiry - 60000\n  ) {\n    return { accessToken: creds.accessToken, endpoint: creds?.endpoint };\n  }\n\n  if (!creds?.cognitoDomain || !creds?.clientId) {\n    throw new Error(\"Missing Cognito configuration. Run 'clef cloud login' to re-authenticate.\");\n  }\n\n  const result = await refreshAccessToken({\n    cognitoDomain: creds.cognitoDomain,\n    clientId: creds.clientId,\n    refreshToken,\n  });\n\n  writeCloudCredentials({\n    ...creds,\n    refreshToken,\n    accessToken: result.accessToken,\n    accessTokenExpiry: Date.now() + result.expiresIn * 1000,\n  });\n\n  return { accessToken: result.accessToken, endpoint: creds?.endpoint };\n}\n\n/**\n * Create a SopsClient backed by the cloud keyservice sidecar.\n *\n * @param repoRoot - Repository root directory.\n * @param runner - Subprocess runner for SOPS invocations.\n * @param createSopsClient - Factory function from the CLI to create a SopsClient\n *   (handles age credential resolution).\n */\nexport async function createCloudSopsClient(\n  repoRoot: string,\n  runner: SubprocessRunner,\n  createSopsClient: CreateSopsClientFn,\n): Promise<CloudSopsResult> {\n  const { accessToken, endpoint } = await resolveAccessToken();\n\n  const binaryPath = resolveKeyservicePath().path;\n  const handle = await spawnKeyservice({\n    binaryPath,\n    token: accessToken,\n    endpoint,\n  });\n\n  const client = await createSopsClient(repoRoot, runner, handle.addr);\n  return {\n    client,\n    cleanup: () => handle.kill(),\n  };\n}\n", "/** User-scoped Cloud credentials stored in ~/.clef/credentials.yaml. */\nexport interface ClefCloudCredentials {\n  /** Cognito refresh token \u2014 long-lived, auto-refreshed to get access tokens. */\n  refreshToken: string;\n  /** Cached Cognito access token \u2014 short-lived, refreshed as needed. */\n  accessToken?: string;\n  /** Epoch ms when the cached access token expires. */\n  accessTokenExpiry?: number;\n  /** Cloud API endpoint override. Defaults to https://api.clef.sh. */\n  endpoint?: string;\n  /** Cognito OAuth2 domain for token refresh (e.g. https://clefcloud-123.auth.us-east-1.amazoncognito.com). */\n  cognitoDomain?: string;\n  /** Cognito CLI app client ID. */\n  clientId?: string;\n}\n\n// \u2500\u2500 Cloud report types \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n/** Health status for a single matrix cell in a cloud report. */\nexport type CloudCellHealthStatus = \"healthy\" | \"warning\" | \"critical\" | \"unknown\";\n\n/** A single cell summary sent to the Cloud API. */\nexport interface CloudReportCell {\n  namespace: string;\n  environment: string;\n  healthStatus: CloudCellHealthStatus;\n  description: string;\n}\n\n/** Summary section of a cloud API report. */\nexport interface CloudReportSummary {\n  filesScanned: number;\n  namespaces: string[];\n  environments: string[];\n  cells: CloudReportCell[];\n  violations: number;\n  passed: boolean;\n}\n\n/** Drift entry for a single namespace in a cloud report. */\nexport interface CloudReportDrift {\n  namespace: string;\n  isDrifted: boolean;\n  driftCount: number;\n}\n\n/** A single policy result in a cloud report. */\nexport interface CloudPolicyResult {\n  ruleId: string;\n  ruleName: string;\n  passed: boolean;\n  severity: string;\n  message: string;\n  scope?: { namespace?: string; environment?: string };\n}\n\n/** CI context attached to cloud reports when collectCIContext is enabled. */\nexport interface CloudCIContext {\n  provider: string;\n  pipelineUrl?: string;\n  trigger?: string;\n}\n\n/** The report payload sent to the Cloud API. */\nexport interface CloudApiReport {\n  commitSha: string;\n  branch: string;\n  commitTimestamp: number;\n  cliVersion: string;\n  summary: CloudReportSummary;\n  drift: CloudReportDrift[];\n  policyResults: CloudPolicyResult[];\n  ciContext?: CloudCIContext;\n}\n\n/** Batch payload for backfill submissions (max 500, oldest\u2192newest). */\nexport interface CloudBatchPayload {\n  reports: CloudApiReport[];\n}\n\n/** Response from GET /api/v1/integrations/:integrationId. */\nexport interface CloudIntegrationResponse {\n  lastCommitSha: string | null;\n  config: {\n    collectCIContext: boolean;\n  };\n}\n\n/** Response from POST /api/v1/reports. */\nexport interface CloudReportResponse {\n  id: string;\n  commitSha: string;\n}\n\n/** Response from POST /api/v1/reports/batch. */\nexport interface CloudBatchResponse {\n  accepted: number;\n  reportIds: string[];\n}\n\n/** Thrown when a Cloud API request fails. */\nexport class CloudApiError extends Error {\n  constructor(\n    message: string,\n    public readonly statusCode: number,\n    public readonly fix?: string,\n  ) {\n    super(message);\n    this.name = \"CloudApiError\";\n  }\n}\n", "import {\n  CloudApiError,\n  type CloudApiReport,\n  type CloudBatchPayload,\n  type CloudBatchResponse,\n  type CloudIntegrationResponse,\n  type CloudReportResponse,\n} from \"./types\";\n\nconst DEFAULT_RETRY_DELAY_MS = 1000;\n\n/**\n * HTTP client for the Clef Cloud API.\n * Uses native `fetch()` (Node 18+). Retries once on 5xx or network errors.\n */\nexport class CloudClient {\n  private readonly retryDelayMs: number;\n\n  constructor(options?: { retryDelayMs?: number }) {\n    this.retryDelayMs = options?.retryDelayMs ?? DEFAULT_RETRY_DELAY_MS;\n  }\n  async fetchIntegration(\n    apiUrl: string,\n    apiKey: string,\n    integrationId: string,\n  ): Promise<CloudIntegrationResponse> {\n    const url = `${apiUrl}/api/v1/integrations/${encodeURIComponent(integrationId)}`;\n    return this.request<CloudIntegrationResponse>(\"GET\", url, apiKey);\n  }\n\n  async submitReport(\n    apiUrl: string,\n    apiKey: string,\n    report: CloudApiReport,\n  ): Promise<CloudReportResponse> {\n    const url = `${apiUrl}/api/v1/reports`;\n    return this.request<CloudReportResponse>(\"POST\", url, apiKey, report);\n  }\n\n  async submitBatchReports(\n    apiUrl: string,\n    apiKey: string,\n    batch: CloudBatchPayload,\n  ): Promise<CloudBatchResponse> {\n    const url = `${apiUrl}/api/v1/reports/batch`;\n    return this.request<CloudBatchResponse>(\"POST\", url, apiKey, batch);\n  }\n\n  private async request<T>(\n    method: string,\n    url: string,\n    apiKey: string,\n    body?: unknown,\n  ): Promise<T> {\n    const headers: Record<string, string> = {\n      Authorization: `Bearer ${apiKey}`,\n      \"Content-Type\": \"application/json\",\n    };\n\n    const init: RequestInit = {\n      method,\n      headers,\n      ...(body !== undefined ? { body: JSON.stringify(body) } : {}),\n    };\n\n    let response: Response;\n    try {\n      response = await fetch(url, init);\n    } catch {\n      // Network error \u2014 retry once\n      await this.delay(this.retryDelayMs);\n      try {\n        response = await fetch(url, init);\n      } catch (retryErr) {\n        throw new CloudApiError(\n          `Network error contacting Clef Cloud: ${(retryErr as Error).message}`,\n          0,\n          \"Check your network connection and CLEF_API_URL.\",\n        );\n      }\n    }\n\n    if (response.ok) {\n      return (await response.json()) as T;\n    }\n\n    // 5xx \u2014 retry once\n    if (response.status >= 500 && response.status < 600) {\n      await this.delay(this.retryDelayMs);\n      const retryResponse = await fetch(url, init);\n      if (retryResponse.ok) {\n        return (await retryResponse.json()) as T;\n      }\n      throw this.buildError(retryResponse);\n    }\n\n    // 4xx \u2014 do not retry\n    throw this.buildError(response);\n  }\n\n  private buildError(response: Response): CloudApiError {\n    const hint =\n      response.status === 401 || response.status === 403\n        ? \"Check your API token (--api-token or CLEF_API_TOKEN).\"\n        : response.status === 404\n          ? \"Check your cloud.integrationId in clef.yaml.\"\n          : undefined;\n\n    return new CloudApiError(\n      `Clef Cloud API returned ${response.status} ${response.statusText}`,\n      response.status,\n      hint,\n    );\n  }\n\n  private delay(ms: number): Promise<void> {\n    return new Promise((resolve) => setTimeout(resolve, ms));\n  }\n}\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACMA,2BAAyC;AACzC,eAA0B;AAS1B,IAAM,aAAa;AACnB,IAAM,qBAAqB;AAC3B,IAAM,sBAAsB;AAU5B,eAAsB,gBAAgB,SAIR;AAC5B,QAAM,OAAO,CAAC,UAAU,aAAa;AACrC,MAAI,QAAQ,UAAU;AACpB,SAAK,KAAK,cAAc,QAAQ,QAAQ;AAAA,EAC1C;AAGA,QAAM,YAAQ,4BAAM,QAAQ,YAAY,MAAM;AAAA,IAC5C,OAAO,CAAC,UAAU,QAAQ,MAAM;AAAA,IAChC,KAAK,EAAE,GAAG,QAAQ,KAAK,kBAAkB,QAAQ,MAAM;AAAA,EACzD,CAAC;AAED,QAAM,OAAO,MAAM,SAAS,KAAK;AACjC,QAAM,OAAO,mBAAmB,IAAI;AAEpC,SAAO;AAAA,IACL;AAAA,IACA,MAAM,MAAM,eAAe,KAAK;AAAA,EAClC;AACF;AAEA,SAAS,SAAS,OAAsC;AACtD,SAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,QAAI,UAAU;AAEd,UAAM,KAAc,yBAAgB,EAAE,OAAO,MAAM,OAAQ,CAAC;AAE5D,aAAS,SAAS;AAChB,mBAAa,KAAK;AAClB,SAAG,MAAM;AAAA,IACX;AAEA,UAAM,QAAQ,WAAW,MAAM;AAC7B,UAAI,CAAC,SAAS;AACZ,kBAAU;AACV,eAAO;AACP,cAAM,KAAK,SAAS;AACpB,eAAO,IAAI,MAAM,4CAA4C,CAAC;AAAA,MAChE;AAAA,IACF,GAAG,kBAAkB;AAErB,OAAG,GAAG,QAAQ,CAAC,SAAS;AACtB,YAAM,QAAQ,WAAW,KAAK,IAAI;AAClC,UAAI,SAAS,CAAC,SAAS;AACrB,kBAAU;AACV,eAAO;AACP,gBAAQ,SAAS,MAAM,CAAC,GAAG,EAAE,CAAC;AAAA,MAChC;AAAA,IACF,CAAC;AAED,UAAM,GAAG,SAAS,CAAC,QAAQ;AACzB,UAAI,CAAC,SAAS;AACZ,kBAAU;AACV,eAAO;AACP,eAAO,IAAI,MAAM,+BAA+B,IAAI,OAAO,EAAE,CAAC;AAAA,MAChE;AAAA,IACF,CAAC;AAED,UAAM,GAAG,QAAQ,CAAC,SAAS;AACzB,UAAI,CAAC,SAAS;AACZ,kBAAU;AACV,eAAO;AACP,eAAO,IAAI,MAAM,4CAA4C,IAAI,GAAG,CAAC;AAAA,MACvE;AAAA,IACF,CAAC;AAAA,EACH,CAAC;AACH;AAEA,SAAS,eAAe,OAAoC;AAC1D,SAAO,IAAI,QAAQ,CAAC,YAAY;AAC9B,QAAI,MAAM,aAAa,MAAM;AAC3B,cAAQ;AACR;AAAA,IACF;AACA,UAAM,QAAQ,WAAW,MAAM;AAC7B,YAAM,KAAK,SAAS;AAAA,IACtB,GAAG,mBAAmB;AACtB,UAAM,GAAG,QAAQ,MAAM;AACrB,mBAAa,KAAK;AAClB,cAAQ;AAAA,IACV,CAAC;AACD,UAAM,KAAK,SAAS;AAAA,EACtB,CAAC;AACH;;;AC1GA,IAAAA,MAAoB;AACpB,IAAAC,QAAsB;;;ACNtB,SAAoB;AACpB,WAAsB;AAMf,SAAS,uBAAsC;AACpD,QAAM,WAAW,QAAQ;AACzB,QAAM,OAAO,QAAQ;AAErB,QAAM,WAAW,SAAS,QAAQ,QAAQ,SAAS,UAAU,UAAU;AACvE,MAAI,CAAC,SAAU,QAAO;AAEtB,QAAM,eACJ,aAAa,WACT,WACA,aAAa,UACX,UACA,aAAa,UACX,UACA;AACV,MAAI,CAAC,aAAc,QAAO;AAE1B,QAAM,cAAc,uBAAuB,YAAY,IAAI,QAAQ;AACnE,QAAM,UAAU,aAAa,UAAU,wBAAwB;AAE/D,MAAI;AACF,UAAM,cAAc,QAAQ,QAAQ,GAAG,WAAW,eAAe;AACjE,UAAM,aAAkB,aAAQ,WAAW;AAC3C,UAAM,UAAe,UAAK,YAAY,OAAO,OAAO;AACpD,WAAU,cAAW,OAAO,IAAI,UAAU;AAAA,EAC5C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;AD1BA,SAAS,uBAAuB,WAAyB;AACvD,MAAI,CAAM,iBAAW,SAAS,GAAG;AAC/B,UAAM,IAAI,MAAM,uDAAuD,SAAS,IAAI;AAAA,EACtF;AACA,QAAM,WAAW,UAAU,MAAM,OAAO;AACxC,MAAI,SAAS,SAAS,IAAI,GAAG;AAC3B,UAAM,IAAI;AAAA,MACR,sDAAsD,SAAS;AAAA,IAEjE;AAAA,EACF;AACF;AAWA,IAAI;AAaG,SAAS,wBAA8C;AAC5D,MAAI,OAAQ,QAAO;AAGnB,QAAM,UAAU,QAAQ,IAAI,sBAAsB,KAAK;AACvD,MAAI,SAAS;AACX,2BAAuB,OAAO;AAC9B,QAAI,CAAI,eAAW,OAAO,GAAG;AAC3B,YAAM,IAAI,MAAM,mCAAmC,OAAO,gCAAgC;AAAA,IAC5F;AACA,aAAS,EAAE,MAAM,SAAS,QAAQ,MAAM;AACxC,WAAO;AAAA,EACT;AAGA,QAAM,cAAc,qBAAqB;AACzC,MAAI,aAAa;AACf,aAAS,EAAE,MAAM,aAAa,QAAQ,UAAU;AAChD,WAAO;AAAA,EACT;AAGA,WAAS,EAAE,MAAM,mBAAmB,QAAQ,SAAS;AACrD,SAAO;AACT;AAKO,SAAS,4BAAkC;AAChD,WAAS;AACX;;;AE/EA,IAAAC,MAAoB;AACpB,IAAAC,QAAsB;AACtB,SAAoB;AACpB,WAAsB;;;ACHf,IAAM,yBAAyB;;;ADOtC,IAAM,uBAAuB;AAMtB,SAAS,uBAAoD;AAClE,QAAM,WAAgB,WAAQ,WAAQ,GAAG,SAAS,oBAAoB;AAEtE,MAAI;AACJ,MAAI;AACF,UAAW,WAAS,iBAAa,UAAU,OAAO,CAAC;AAAA,EACrD,QAAQ;AACN,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,OAAO,OAAO,QAAQ,SAAU,QAAO;AAC5C,QAAM,MAAM;AAEZ,QAAM,eAAe,OAAO,IAAI,iBAAiB,WAAW,IAAI,eAAe;AAC/E,QAAM,cAAc,OAAO,IAAI,gBAAgB,WAAW,IAAI,cAAc;AAC5E,QAAM,oBACJ,OAAO,IAAI,sBAAsB,WAAW,IAAI,oBAAoB;AACtE,QAAM,WAAW,OAAO,IAAI,aAAa,WAAW,IAAI,WAAW;AACnE,QAAM,gBAAgB,OAAO,IAAI,kBAAkB,WAAW,IAAI,gBAAgB;AAClF,QAAM,WAAW,OAAO,IAAI,aAAa,WAAW,IAAI,WAAW;AAEnE,MAAI,CAAC,gBAAgB,aAAa,uBAAwB,QAAO;AAEjE,SAAO,EAAE,cAAc,aAAa,mBAAmB,UAAU,eAAe,SAAS;AAC3F;AAOO,SAAS,sBAAsB,aAAyC;AAC7E,QAAM,UAAe,WAAQ,WAAQ,GAAG,OAAO;AAC/C,EAAG,cAAU,SAAS,EAAE,WAAW,MAAM,MAAM,IAAM,CAAC;AACtD,QAAM,WAAgB,WAAK,SAAS,oBAAoB;AAExD,QAAM,UAAU,OAAO;AAAA,IACrB,OAAO,QAAQ,WAAW,EAAE,OAAO,CAAC,CAAC,EAAE,CAAC,MAAM,MAAM,MAAS;AAAA,EAC/D;AAEA,EAAG,kBAAc,UAAe,eAAU,OAAO,GAAG,EAAE,MAAM,IAAM,CAAC;AACrE;;;AEVA,eAAsB,mBACpB,UACA,SAMwB;AACxB,QAAM,OAAO,YAAY;AACzB,QAAM,UAAkC;AAAA,IACtC,YAAY;AAAA,IACZ,eAAe,QAAQ;AAAA,IACvB,UAAU,QAAQ;AAAA,IAClB,MAAM,QAAQ;AAAA,EAChB;AACA,MAAI,QAAQ,aAAa;AACvB,YAAQ,cAAc,QAAQ;AAAA,EAChC;AACA,MAAI;AACJ,MAAI;AACF,UAAM,MAAM,MAAM,GAAG,IAAI,uBAAuB;AAAA,MAC9C,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,MAC9C,MAAM,KAAK,UAAU,OAAO;AAAA,IAC9B,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,UAAM,QAAQ,eAAe,QAAS,IAAoC,QAAQ;AAClF,UAAM,SACJ,iBAAiB,QAAQ,MAAM,UAAU,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC1F,UAAM,IAAI,MAAM,iCAAiC,IAAI,KAAK,MAAM,EAAE;AAAA,EACpE;AAEA,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,MAAM,EAAE;AAC5C,UAAM,IAAI,MAAM,4BAA4B,IAAI,MAAM,MAAM,IAAI,EAAE;AAAA,EACpE;AAEA,QAAM,OAAO,MAAM,IAAI,KAAK;AAE5B,QAAM,UAAW,KAAK,QAAQ;AAG9B,MAAI,QAAQ,WAAW,CAAC,QAAQ,QAAQ,WAAW,MAAM,GAAG;AAC1D,YAAQ,UAAU,GAAG,IAAI,GAAG,QAAQ,OAAO;AAAA,EAC7C;AAEA,SAAO;AACT;AAQA,eAAsB,eAAe,SAA4C;AAC/E,MAAI;AACJ,MAAI;AACF,UAAM,MAAM,MAAM,OAAO;AAAA,EAC3B,SAAS,KAAK;AACZ,UAAM,QAAQ,eAAe,QAAS,IAAoC,QAAQ;AAClF,UAAM,SACJ,iBAAiB,QAAQ,MAAM,UAAU,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC1F,UAAM,IAAI,MAAM,6CAA6C,MAAM,EAAE;AAAA,EACvE;AAEA,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,MAAM,EAAE;AAC5C,UAAM,IAAI,MAAM,4BAA4B,IAAI,MAAM,MAAM,IAAI,EAAE;AAAA,EACpE;AAEA,QAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,SAAQ,KAAK,QAAQ;AACvB;;;ACjHA,IAAAC,MAAoB;AACpB,IAAAC,QAAsB;AAEtB,kBAA8B;AAkBvB,IAAM,kBAAN,MAAsB;AAAA,EACV;AAAA,EAEjB,YAAY,UAAmB;AAC7B,SAAK,WAAW,YAAY;AAAA,EAC9B;AAAA,EAEA,MAAM,KAAK,OAAe,QAAqD;AAC7E,UAAM,gBAAgB,IAAI,0BAAc;AACxC,UAAM,QAAQ,cACX,cAAc,OAAO,UAAU,OAAO,QAAQ,EAC9C,OAAO,CAAC,MAAkB,EAAE,gBAAgB,OAAO,eAAe,EAAE,MAAM;AAE7E,UAAM,WAAW,IAAI,SAAS;AAE9B,UAAM,aAAa,KAAK,UAAU;AAAA,MAChC,UAAU,OAAO;AAAA,MACjB,aAAa,OAAO;AAAA,MACpB,GAAI,OAAO,MAAM,EAAE,KAAK,OAAO,IAAI,IAAI,CAAC;AAAA,IAC1C,CAAC;AACD,aAAS,OAAO,UAAU,IAAI,KAAK,CAAC,UAAU,GAAG,EAAE,MAAM,mBAAmB,CAAC,CAAC;AAE9E,UAAM,eAAoB,WAAK,OAAO,UAAU,WAAW;AAC3D,UAAM,kBAAqB,iBAAa,cAAc,OAAO;AAC7D,aAAS,OAAO,YAAY,IAAI,KAAK,CAAC,eAAe,GAAG,EAAE,MAAM,YAAY,CAAC,CAAC;AAE9E,eAAW,QAAQ,OAAO;AACxB,YAAM,UAAe,eAAS,OAAO,UAAU,KAAK,QAAQ;AAC5D,YAAM,UAAa,iBAAa,KAAK,UAAU,OAAO;AACtD,eAAS,OAAO,SAAS,IAAI,KAAK,CAAC,OAAO,GAAG,EAAE,MAAM,YAAY,CAAC,GAAG,OAAO;AAAA,IAC9E;AAEA,UAAM,MAAM,MAAM,MAAM,GAAG,KAAK,QAAQ,sBAAsB;AAAA,MAC5D,QAAQ;AAAA,MACR,SAAS,EAAE,eAAe,UAAU,KAAK,GAAG;AAAA,MAC5C,MAAM;AAAA,IACR,CAAC;AAED,QAAI,CAAC,IAAI,IAAI;AACX,YAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,MAAM,EAAE;AAC5C,YAAM,IAAI,MAAM,sBAAsB,IAAI,MAAM,MAAM,IAAI,EAAE;AAAA,IAC9D;AAEA,WAAQ,MAAM,IAAI,KAAK;AAAA,EACzB;AACF;AAOO,IAAM,sBAAN,MAA0B;AAAA,EACd;AAAA,EAEjB,YAAY,UAAmB;AAC7B,SAAK,WAAW,YAAY;AAAA,EAC9B;AAAA,EAEA,MAAM,OACJ,OACA,QACe;AACf,UAAM,MAAM,MAAM;AAAA,MAChB,GAAG,KAAK,QAAQ,2BAA2B,OAAO,QAAQ,IAAI,OAAO,WAAW;AAAA,MAChF;AAAA,QACE,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,eAAe,UAAU,KAAK;AAAA,UAC9B,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,OAAO;AAAA,MACf;AAAA,IACF;AAEA,QAAI,CAAC,IAAI,IAAI;AACX,YAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,MAAM,EAAE;AAC5C,YAAM,IAAI,MAAM,2BAA2B,IAAI,MAAM,MAAM,IAAI,EAAE;AAAA,IACnE;AAAA,EACF;AACF;;;AC9EA,eAAsB,mBAAmB,QAAyD;AAChG,QAAM,MAAM,GAAG,OAAO,aAAa;AAEnC,QAAM,OAAO,IAAI,gBAAgB;AAAA,IAC/B,YAAY;AAAA,IACZ,WAAW,OAAO;AAAA,IAClB,eAAe,OAAO;AAAA,EACxB,CAAC;AAED,QAAM,MAAM,MAAM,MAAM,KAAK;AAAA,IAC3B,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,IAC/D,MAAM,KAAK,SAAS;AAAA,EACtB,CAAC;AAED,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,MAAM,EAAE;AAC5C,QAAI,IAAI,WAAW,OAAO,KAAK,SAAS,eAAe,GAAG;AACxD,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,UAAM,IAAI,MAAM,yBAAyB,IAAI,MAAM,MAAM,IAAI,EAAE;AAAA,EACjE;AAEA,QAAM,OAAQ,MAAM,IAAI,KAAK;AAO7B,SAAO;AAAA,IACL,aAAa,KAAK;AAAA,IAClB,SAAS,KAAK;AAAA,IACd,WAAW,KAAK;AAAA,EAClB;AACF;;;AChCA,eAAsB,qBAA0E;AAE9F,QAAM,YAAY,QAAQ,IAAI;AAC9B,MAAI,WAAW;AACb,UAAMC,SAAQ,qBAAqB;AACnC,WAAO,EAAE,aAAa,WAAW,UAAUA,QAAO,SAAS;AAAA,EAC7D;AAEA,QAAM,QAAQ,qBAAqB;AACnC,QAAM,eAAe,QAAQ,IAAI,4BAA4B,OAAO;AAEpE,MAAI,CAAC,cAAc;AACjB,UAAM,IAAI,MAAM,qEAAqE;AAAA,EACvF;AAGA,MACE,OAAO,eACP,OAAO,qBACP,KAAK,IAAI,IAAI,MAAM,oBAAoB,KACvC;AACA,WAAO,EAAE,aAAa,MAAM,aAAa,UAAU,OAAO,SAAS;AAAA,EACrE;AAEA,MAAI,CAAC,OAAO,iBAAiB,CAAC,OAAO,UAAU;AAC7C,UAAM,IAAI,MAAM,2EAA2E;AAAA,EAC7F;AAEA,QAAM,SAAS,MAAM,mBAAmB;AAAA,IACtC,eAAe,MAAM;AAAA,IACrB,UAAU,MAAM;AAAA,IAChB;AAAA,EACF,CAAC;AAED,wBAAsB;AAAA,IACpB,GAAG;AAAA,IACH;AAAA,IACA,aAAa,OAAO;AAAA,IACpB,mBAAmB,KAAK,IAAI,IAAI,OAAO,YAAY;AAAA,EACrD,CAAC;AAED,SAAO,EAAE,aAAa,OAAO,aAAa,UAAU,OAAO,SAAS;AACtE;AAUA,eAAsB,sBACpB,UACA,QACA,kBAC0B;AAC1B,QAAM,EAAE,aAAa,SAAS,IAAI,MAAM,mBAAmB;AAE3D,QAAM,aAAa,sBAAsB,EAAE;AAC3C,QAAM,SAAS,MAAM,gBAAgB;AAAA,IACnC;AAAA,IACA,OAAO;AAAA,IACP;AAAA,EACF,CAAC;AAED,QAAM,SAAS,MAAM,iBAAiB,UAAU,QAAQ,OAAO,IAAI;AACnE,SAAO;AAAA,IACL;AAAA,IACA,SAAS,MAAM,OAAO,KAAK;AAAA,EAC7B;AACF;;;ACHO,IAAM,gBAAN,cAA4B,MAAM;AAAA,EACvC,YACE,SACgB,YACA,KAChB;AACA,UAAM,OAAO;AAHG;AACA;AAGhB,SAAK,OAAO;AAAA,EACd;AAAA,EALkB;AAAA,EACA;AAKpB;;;ACrGA,IAAM,yBAAyB;AAMxB,IAAM,cAAN,MAAkB;AAAA,EACN;AAAA,EAEjB,YAAY,SAAqC;AAC/C,SAAK,eAAe,SAAS,gBAAgB;AAAA,EAC/C;AAAA,EACA,MAAM,iBACJ,QACA,QACA,eACmC;AACnC,UAAM,MAAM,GAAG,MAAM,wBAAwB,mBAAmB,aAAa,CAAC;AAC9E,WAAO,KAAK,QAAkC,OAAO,KAAK,MAAM;AAAA,EAClE;AAAA,EAEA,MAAM,aACJ,QACA,QACA,QAC8B;AAC9B,UAAM,MAAM,GAAG,MAAM;AACrB,WAAO,KAAK,QAA6B,QAAQ,KAAK,QAAQ,MAAM;AAAA,EACtE;AAAA,EAEA,MAAM,mBACJ,QACA,QACA,OAC6B;AAC7B,UAAM,MAAM,GAAG,MAAM;AACrB,WAAO,KAAK,QAA4B,QAAQ,KAAK,QAAQ,KAAK;AAAA,EACpE;AAAA,EAEA,MAAc,QACZ,QACA,KACA,QACA,MACY;AACZ,UAAM,UAAkC;AAAA,MACtC,eAAe,UAAU,MAAM;AAAA,MAC/B,gBAAgB;AAAA,IAClB;AAEA,UAAM,OAAoB;AAAA,MACxB;AAAA,MACA;AAAA,MACA,GAAI,SAAS,SAAY,EAAE,MAAM,KAAK,UAAU,IAAI,EAAE,IAAI,CAAC;AAAA,IAC7D;AAEA,QAAI;AACJ,QAAI;AACF,iBAAW,MAAM,MAAM,KAAK,IAAI;AAAA,IAClC,QAAQ;AAEN,YAAM,KAAK,MAAM,KAAK,YAAY;AAClC,UAAI;AACF,mBAAW,MAAM,MAAM,KAAK,IAAI;AAAA,MAClC,SAAS,UAAU;AACjB,cAAM,IAAI;AAAA,UACR,wCAAyC,SAAmB,OAAO;AAAA,UACnE;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,QAAI,SAAS,IAAI;AACf,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B;AAGA,QAAI,SAAS,UAAU,OAAO,SAAS,SAAS,KAAK;AACnD,YAAM,KAAK,MAAM,KAAK,YAAY;AAClC,YAAM,gBAAgB,MAAM,MAAM,KAAK,IAAI;AAC3C,UAAI,cAAc,IAAI;AACpB,eAAQ,MAAM,cAAc,KAAK;AAAA,MACnC;AACA,YAAM,KAAK,WAAW,aAAa;AAAA,IACrC;AAGA,UAAM,KAAK,WAAW,QAAQ;AAAA,EAChC;AAAA,EAEQ,WAAW,UAAmC;AACpD,UAAM,OACJ,SAAS,WAAW,OAAO,SAAS,WAAW,MAC3C,0DACA,SAAS,WAAW,MAClB,iDACA;AAER,WAAO,IAAI;AAAA,MACT,2BAA2B,SAAS,MAAM,IAAI,SAAS,UAAU;AAAA,MACjE,SAAS;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,MAAM,IAA2B;AACvC,WAAO,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,EAAE,CAAC;AAAA,EACzD;AACF;",
+  "names": ["fs", "path", "fs", "path", "fs", "path", "creds"]
+}