@clef-sh/core 0.1.10 → 0.1.11-beta.62

package/dist/index.mjs

@@ -695,9 +695,21 @@ var ManifestParser = class {
   }
 };
 
+// src/manifest/io.ts
+import * as fs2 from "fs";
+import * as path from "path";
+import * as YAML2 from "yaml";
+function readManifestYaml(repoRoot) {
+  const raw = fs2.readFileSync(path.join(repoRoot, CLEF_MANIFEST_FILENAME), "utf-8");
+  return YAML2.parse(raw);
+}
+function writeManifestYaml(repoRoot, doc) {
+  fs2.writeFileSync(path.join(repoRoot, CLEF_MANIFEST_FILENAME), YAML2.stringify(doc), "utf-8");
+}
+
 // src/scanner/index.ts
-import * as fs3 from "fs";
-import * as path2 from "path";
+import * as fs4 from "fs";
+import * as path3 from "path";
 
 // src/scanner/patterns.ts
 var PATTERNS = [
@@ -757,12 +769,12 @@ function matchPatterns(line, lineNumber, filePath) {
 }
 
 // src/scanner/ignore.ts
-import * as fs2 from "fs";
-import * as path from "path";
+import * as fs3 from "fs";
+import * as path2 from "path";
 function loadIgnoreRules(repoRoot) {
-  const ignorePath = path.join(repoRoot, ".clefignore");
+  const ignorePath = path2.join(repoRoot, ".clefignore");
   try {
-    const content = fs2.readFileSync(ignorePath, "utf-8");
+    const content = fs3.readFileSync(ignorePath, "utf-8");
     return parseIgnoreContent(content);
   } catch {
     return { files: [], patterns: [], paths: [] };
@@ -845,9 +857,9 @@ var ScanRunner = class {
     for (const ns of manifest.namespaces) {
       for (const env of manifest.environments) {
         const relPath = manifest.file_pattern.replace("{namespace}", ns.name).replace("{environment}", env.name);
-        const absPath = path2.join(repoRoot, relPath);
-        if (fs3.existsSync(absPath)) {
-          const content = fs3.readFileSync(absPath, "utf-8");
+        const absPath = path3.join(repoRoot, relPath);
+        if (fs4.existsSync(absPath)) {
+          const content = fs4.readFileSync(absPath, "utf-8");
           if (!content.includes("sops:") && !content.includes('"sops"')) {
             unencryptedMatrixFiles.push(relPath);
           }
@@ -863,8 +875,8 @@ var ScanRunner = class {
       filesToScan = await this.getAllTrackedFiles(repoRoot);
     }
     for (const relFile of filesToScan) {
-      const absFile = path2.isAbsolute(relFile) ? relFile : path2.join(repoRoot, relFile);
-      const relPath = path2.relative(repoRoot, absFile).replace(/\\/g, "/");
+      const absFile = path3.isAbsolute(relFile) ? relFile : path3.join(repoRoot, relFile);
+      const relPath = path3.relative(repoRoot, absFile).replace(/\\/g, "/");
       if (this.shouldAlwaysSkip(relPath)) {
         filesSkipped++;
         continue;
@@ -873,13 +885,13 @@ var ScanRunner = class {
         filesSkipped++;
         continue;
       }
-      if (!fs3.existsSync(absFile)) {
+      if (!fs4.existsSync(absFile)) {
         filesSkipped++;
         continue;
       }
       let stat;
       try {
-        stat = fs3.statSync(absFile);
+        stat = fs4.statSync(absFile);
       } catch {
         filesSkipped++;
         continue;
@@ -893,7 +905,7 @@ var ScanRunner = class {
         continue;
       }
       filesScanned++;
-      const content = fs3.readFileSync(absFile, "utf-8");
+      const content = fs4.readFileSync(absFile, "utf-8");
       const lines = content.split("\n");
       for (let i = 0; i < lines.length; i++) {
         const line = lines[i];
@@ -935,10 +947,10 @@ var ScanRunner = class {
   }
   isBinary(filePath) {
     try {
-      const fd = fs3.openSync(filePath, "r");
+      const fd = fs4.openSync(filePath, "r");
       const buf = Buffer.alloc(512);
-      const bytesRead = fs3.readSync(fd, buf, 0, 512, 0);
-      fs3.closeSync(fd);
+      const bytesRead = fs4.readSync(fd, buf, 0, 512, 0);
+      fs4.closeSync(fd);
       for (let i = 0; i < bytesRead; i++) {
         if (buf[i] === 0) return true;
       }
@@ -978,13 +990,13 @@ var ScanRunner = class {
   async getFilesInPaths(repoRoot, paths) {
     const files = [];
     for (const p of paths) {
-      const absPath = path2.isAbsolute(p) ? p : path2.join(repoRoot, p);
-      if (!fs3.existsSync(absPath)) continue;
-      const stat = fs3.statSync(absPath);
+      const absPath = path3.isAbsolute(p) ? p : path3.join(repoRoot, p);
+      if (!fs4.existsSync(absPath)) continue;
+      const stat = fs4.statSync(absPath);
       if (stat.isDirectory()) {
         files.push(...this.walkDir(absPath, repoRoot));
       } else {
-        files.push(path2.relative(repoRoot, absPath).replace(/\\/g, "/"));
+        files.push(path3.relative(repoRoot, absPath).replace(/\\/g, "/"));
       }
     }
     return files;
@@ -1000,13 +1012,13 @@ var ScanRunner = class {
     const files = [];
     let entries;
     try {
-      entries = fs3.readdirSync(dir, { withFileTypes: true });
+      entries = fs4.readdirSync(dir, { withFileTypes: true });
     } catch {
       return files;
     }
     for (const entry of entries) {
-      const fullPath = path2.join(dir, entry.name);
-      const relPath = path2.relative(repoRoot, fullPath).replace(/\\/g, "/");
+      const fullPath = path3.join(dir, entry.name);
+      const relPath = path3.relative(repoRoot, fullPath).replace(/\\/g, "/");
       if (entry.isDirectory()) {
         if (!ALWAYS_SKIP_DIRS.includes(entry.name)) {
           files.push(...this.walkDir(fullPath, repoRoot));
@@ -1020,29 +1032,29 @@ var ScanRunner = class {
 };
 
 // src/matrix/manager.ts
-import * as fs6 from "fs";
-import * as path4 from "path";
-import * as YAML4 from "yaml";
+import * as fs7 from "fs";
+import * as path5 from "path";
+import * as YAML5 from "yaml";
 
 // src/pending/metadata.ts
-import * as fs4 from "fs";
-import * as path3 from "path";
+import * as fs5 from "fs";
+import * as path4 from "path";
 import * as crypto from "crypto";
-import * as YAML2 from "yaml";
+import * as YAML3 from "yaml";
 function metadataPath(encryptedFilePath) {
-  const dir = path3.dirname(encryptedFilePath);
-  const base = path3.basename(encryptedFilePath).replace(/\.enc\.(yaml|json)$/, "");
-  return path3.join(dir, `${base}.clef-meta.yaml`);
+  const dir = path4.dirname(encryptedFilePath);
+  const base = path4.basename(encryptedFilePath).replace(/\.enc\.(yaml|json)$/, "");
+  return path4.join(dir, `${base}.clef-meta.yaml`);
 }
 var HEADER_COMMENT = "# Managed by Clef. Do not edit manually.\n";
 async function loadMetadata(filePath) {
   const metaPath = metadataPath(filePath);
   try {
-    if (!fs4.existsSync(metaPath)) {
+    if (!fs5.existsSync(metaPath)) {
       return { version: 1, pending: [] };
     }
-    const content = fs4.readFileSync(metaPath, "utf-8");
-    const parsed = YAML2.parse(content);
+    const content = fs5.readFileSync(metaPath, "utf-8");
+    const parsed = YAML3.parse(content);
     if (!parsed || !Array.isArray(parsed.pending)) {
       return { version: 1, pending: [] };
     }
@@ -1060,9 +1072,9 @@ async function loadMetadata(filePath) {
 }
 async function saveMetadata(filePath, metadata) {
   const metaPath = metadataPath(filePath);
-  const dir = path3.dirname(metaPath);
-  if (!fs4.existsSync(dir)) {
-    fs4.mkdirSync(dir, { recursive: true });
+  const dir = path4.dirname(metaPath);
+  if (!fs5.existsSync(dir)) {
+    fs5.mkdirSync(dir, { recursive: true });
   }
   const data = {
     version: metadata.version,
@@ -1072,7 +1084,7 @@ async function saveMetadata(filePath, metadata) {
       setBy: p.setBy
     }))
   };
-  fs4.writeFileSync(metaPath, HEADER_COMMENT + YAML2.stringify(data), "utf-8");
+  fs5.writeFileSync(metaPath, HEADER_COMMENT + YAML3.stringify(data), "utf-8");
 }
 async function markPending(filePath, keys, setBy) {
   const metadata = await loadMetadata(filePath);
@@ -1113,12 +1125,12 @@ async function markPendingWithRetry(filePath, keys, setBy, retryDelayMs = 200) {
 }
 
 // src/sops/keys.ts
-import * as fs5 from "fs";
-import * as YAML3 from "yaml";
+import * as fs6 from "fs";
+import * as YAML4 from "yaml";
 function readSopsKeyNames(filePath) {
   try {
-    const raw = fs5.readFileSync(filePath, "utf-8");
-    const parsed = YAML3.parse(raw);
+    const raw = fs6.readFileSync(filePath, "utf-8");
+    const parsed = YAML4.parse(raw);
     if (parsed === null || parsed === void 0 || typeof parsed !== "object") return null;
     return Object.keys(parsed).filter((k) => k !== "sops");
   } catch {
@@ -1140,12 +1152,12 @@ var MatrixManager = class {
     for (const ns of manifest.namespaces) {
       for (const env of manifest.environments) {
         const relativePath = manifest.file_pattern.replace("{namespace}", ns.name).replace("{environment}", env.name);
-        const filePath = path4.join(repoRoot, relativePath);
+        const filePath = path5.join(repoRoot, relativePath);
         cells.push({
           namespace: ns.name,
           environment: env.name,
           filePath,
-          exists: fs6.existsSync(filePath)
+          exists: fs7.existsSync(filePath)
         });
       }
     }
@@ -1168,9 +1180,9 @@ var MatrixManager = class {
    * @param manifest - Parsed manifest used to determine the encryption backend.
    */
   async scaffoldCell(cell, sopsClient, manifest) {
-    const dir = path4.dirname(cell.filePath);
-    if (!fs6.existsSync(dir)) {
-      fs6.mkdirSync(dir, { recursive: true });
+    const dir = path5.dirname(cell.filePath);
+    if (!fs7.existsSync(dir)) {
+      fs7.mkdirSync(dir, { recursive: true });
     }
     await sopsClient.encrypt(cell.filePath, {}, manifest, cell.environment);
   }
@@ -1246,8 +1258,8 @@ var MatrixManager = class {
    */
   readLastModified(filePath) {
     try {
-      const raw = fs6.readFileSync(filePath, "utf-8");
-      const parsed = YAML4.parse(raw);
+      const raw = fs7.readFileSync(filePath, "utf-8");
+      const parsed = YAML5.parse(raw);
       const sops = parsed?.sops;
       if (sops?.lastmodified) return new Date(String(sops.lastmodified));
       return null;
@@ -1268,8 +1280,8 @@ var MatrixManager = class {
 };
 
 // src/schema/validator.ts
-import * as fs7 from "fs";
-import * as YAML5 from "yaml";
+import * as fs8 from "fs";
+import * as YAML6 from "yaml";
 var SchemaValidator = class {
   /**
    * Read and parse a YAML schema file from disk.
@@ -1281,13 +1293,13 @@ var SchemaValidator = class {
   loadSchema(filePath) {
     let raw;
     try {
-      raw = fs7.readFileSync(filePath, "utf-8");
+      raw = fs8.readFileSync(filePath, "utf-8");
     } catch {
       throw new SchemaLoadError(`Could not read schema file at '${filePath}'.`, filePath);
     }
     let parsed;
     try {
-      parsed = YAML5.parse(raw);
+      parsed = YAML6.parse(raw);
     } catch {
       throw new SchemaLoadError(`Schema file '${filePath}' contains invalid YAML.`, filePath);
     }
@@ -1415,7 +1427,7 @@ var SchemaValidator = class {
 };
 
 // src/diff/engine.ts
-import * as path5 from "path";
+import * as path6 from "path";
 var DiffEngine = class {
   /**
    * Compare two in-memory value maps and produce a sorted diff result.
@@ -1472,11 +1484,11 @@ var DiffEngine = class {
    * @throws {@link SopsDecryptionError} If either file cannot be decrypted.
    */
   async diffFiles(namespace, envA, envB, manifest, sopsClient, repoRoot) {
-    const fileA = path5.join(
+    const fileA = path6.join(
       repoRoot,
       manifest.file_pattern.replace("{namespace}", namespace).replace("{environment}", envA)
     );
-    const fileB = path5.join(
+    const fileB = path6.join(
       repoRoot,
       manifest.file_pattern.replace("{namespace}", namespace).replace("{environment}", envB)
     );
@@ -1489,7 +1501,7 @@ var DiffEngine = class {
 };
 
 // src/bulk/ops.ts
-import * as path6 from "path";
+import * as path7 from "path";
 var BulkOps = class {
   /**
    * Set a key to different values in multiple environments at once.
@@ -1508,7 +1520,7 @@ var BulkOps = class {
       if (!(env.name in values)) {
         continue;
       }
-      const filePath = path6.join(
+      const filePath = path7.join(
         repoRoot,
         manifest.file_pattern.replace("{namespace}", namespace).replace("{environment}", env.name)
       );
@@ -1542,7 +1554,7 @@ Successfully updated ${Object.keys(values).length - errors.length} environment(s
   async deleteAcrossEnvironments(namespace, key, manifest, sopsClient, repoRoot) {
     const errors = [];
     for (const env of manifest.environments) {
-      const filePath = path6.join(
+      const filePath = path7.join(
         repoRoot,
         manifest.file_pattern.replace("{namespace}", namespace).replace("{environment}", env.name)
       );
@@ -1588,8 +1600,8 @@ ${details}`
 };
 
 // src/git/integration.ts
-import * as fs8 from "fs";
-import * as path7 from "path";
+import * as fs9 from "fs";
+import * as path8 from "path";
 var PRE_COMMIT_HOOK = `#!/bin/sh
 # Clef pre-commit hook \u2014 blocks commits of files missing SOPS encryption metadata
 # and scans staged files for plaintext secrets.
@@ -1796,15 +1808,15 @@ var GitIntegration = class {
       cwd: repoRoot
     });
     const gitConfig = configResult.exitCode === 0 && configResult.stdout.trim().length > 0;
-    const attrFilePath = path7.join(repoRoot, ".gitattributes");
-    const attrContent = fs8.existsSync(attrFilePath) ? fs8.readFileSync(attrFilePath, "utf-8") : "";
+    const attrFilePath = path8.join(repoRoot, ".gitattributes");
+    const attrContent = fs9.existsSync(attrFilePath) ? fs9.readFileSync(attrFilePath, "utf-8") : "";
     const gitattributes = attrContent.includes("merge=sops");
     return { gitConfig, gitattributes };
   }
   async ensureGitattributes(repoRoot) {
-    const attrPath = path7.join(repoRoot, ".gitattributes");
+    const attrPath = path8.join(repoRoot, ".gitattributes");
     const mergeRule = "*.enc.yaml merge=sops\n*.enc.json merge=sops";
-    const existing = fs8.existsSync(attrPath) ? fs8.readFileSync(attrPath, "utf-8") : "";
+    const existing = fs9.existsSync(attrPath) ? fs9.readFileSync(attrPath, "utf-8") : "";
     if (existing.includes("merge=sops")) {
       return;
     }
@@ -1831,7 +1843,7 @@ ${mergeRule}
    * @throws {@link GitOperationError} On failure.
    */
   async installPreCommitHook(repoRoot) {
-    const hookPath = path7.join(repoRoot, ".git", "hooks", "pre-commit");
+    const hookPath = path8.join(repoRoot, ".git", "hooks", "pre-commit");
     const result = await this.runner.run("tee", [hookPath], {
       stdin: PRE_COMMIT_HOOK,
       cwd: repoRoot
@@ -1852,18 +1864,18 @@ ${mergeRule}
 };
 
 // src/sops/client.ts
-import * as fs11 from "fs";
+import * as fs12 from "fs";
 import * as net from "net";
 import { randomBytes as randomBytes2 } from "crypto";
-import * as YAML6 from "yaml";
+import * as YAML7 from "yaml";
 
 // src/sops/resolver.ts
-import * as fs10 from "fs";
-import * as path9 from "path";
+import * as fs11 from "fs";
+import * as path10 from "path";
 
 // src/sops/bundled.ts
-import * as fs9 from "fs";
-import * as path8 from "path";
+import * as fs10 from "fs";
+import * as path9 from "path";
 function tryBundled() {
   const platform = process.platform;
   const arch = process.arch;
@@ -1875,9 +1887,9 @@ function tryBundled() {
   const binName = platform === "win32" ? "sops.exe" : "sops";
   try {
     const packageMain = __require.resolve(`${packageName}/package.json`);
-    const packageDir = path8.dirname(packageMain);
-    const binPath = path8.join(packageDir, "bin", binName);
-    return fs9.existsSync(binPath) ? binPath : null;
+    const packageDir = path9.dirname(packageMain);
+    const binPath = path9.join(packageDir, "bin", binName);
+    return fs10.existsSync(binPath) ? binPath : null;
   } catch {
     return null;
   }
@@ -1885,7 +1897,7 @@ function tryBundled() {
 
 // src/sops/resolver.ts
 function validateSopsPath(candidate) {
-  if (!path9.isAbsolute(candidate)) {
+  if (!path10.isAbsolute(candidate)) {
     throw new Error(`CLEF_SOPS_PATH must be an absolute path, got '${candidate}'.`);
   }
   const segments = candidate.split(/[/\\]/);
@@ -1901,7 +1913,7 @@ function resolveSopsPath() {
   const envPath = process.env.CLEF_SOPS_PATH?.trim();
   if (envPath) {
     validateSopsPath(envPath);
-    if (!fs10.existsSync(envPath)) {
+    if (!fs11.existsSync(envPath)) {
       throw new Error(`CLEF_SOPS_PATH points to '${envPath}' but the file does not exist.`);
     }
     cached = { path: envPath, source: "env" };
@@ -2109,7 +2121,7 @@ var SopsClient = class {
     }
     let parsed;
     try {
-      parsed = YAML6.parse(result.stdout) ?? {};
+      parsed = YAML7.parse(result.stdout) ?? {};
     } catch {
       throw new SopsDecryptionError(
         `Decrypted content of '${filePath}' is not valid YAML.`,
@@ -2136,7 +2148,7 @@ var SopsClient = class {
   async encrypt(filePath, values, manifest, environment) {
     await assertSops(this.runner, this.sopsCommand);
     const fmt = formatFromPath(filePath);
-    const content = fmt === "json" ? JSON.stringify(values, null, 2) : YAML6.stringify(values);
+    const content = fmt === "json" ? JSON.stringify(values, null, 2) : YAML7.stringify(values);
     const args = this.buildEncryptArgs(filePath, manifest, environment);
     const env = this.buildSopsEnv();
     let inputArg;
@@ -2180,7 +2192,7 @@ var SopsClient = class {
       );
     }
     try {
-      fs11.writeFileSync(filePath, result.stdout);
+      fs12.writeFileSync(filePath, result.stdout);
     } catch {
       throw new SopsEncryptionError(`Failed to write encrypted data to '${filePath}'.`, filePath);
     }
@@ -2296,7 +2308,7 @@ var SopsClient = class {
     if (!this.ageKey && !this.ageKeyFile) return "key-not-found";
     let keyContent;
     try {
-      keyContent = this.ageKey ?? fs11.readFileSync(this.ageKeyFile, "utf-8");
+      keyContent = this.ageKey ?? fs12.readFileSync(this.ageKeyFile, "utf-8");
     } catch {
       return "key-not-found";
     }
@@ -2313,7 +2325,7 @@ var SopsClient = class {
   parseMetadataFromFile(filePath) {
     let content;
     try {
-      content = fs11.readFileSync(filePath, "utf-8");
+      content = fs12.readFileSync(filePath, "utf-8");
     } catch {
       throw new SopsDecryptionError(
         `Could not read file '${filePath}' to extract SOPS metadata.`,
@@ -2322,7 +2334,7 @@ var SopsClient = class {
     }
     let parsed;
     try {
-      parsed = YAML6.parse(content);
+      parsed = YAML7.parse(content);
     } catch {
       throw new SopsDecryptionError(
         `File '${filePath}' is not valid YAML. Cannot extract SOPS metadata.`,
@@ -2417,7 +2429,7 @@ var SopsClient = class {
 };
 
 // src/lint/runner.ts
-import * as path10 from "path";
+import * as path11 from "path";
 var LintRunner = class {
   constructor(matrixManager, schemaValidator, sopsClient) {
     this.matrixManager = matrixManager;
@@ -2517,7 +2529,7 @@ var LintRunner = class {
         }
         const ns = manifest.namespaces.find((n) => n.name === cell.namespace);
         if (ns?.schema) {
-          const schemaPath = path10.join(repoRoot, ns.schema);
+          const schemaPath = path11.join(repoRoot, ns.schema);
           try {
             const schema = this.schemaValidator.loadSchema(schemaPath);
             const result = this.schemaValidator.validate(decrypted.values, schema);
@@ -2750,14 +2762,14 @@ Use 'clef exec' to inject secrets directly into a process, or 'clef export --for
 };
 
 // src/import/index.ts
-import * as path12 from "path";
+import * as path13 from "path";
 
 // src/import/parsers.ts
-import * as path11 from "path";
-import * as YAML7 from "yaml";
+import * as path12 from "path";
+import * as YAML8 from "yaml";
 function detectFormat(filePath, content) {
-  const base = path11.basename(filePath);
-  const ext = path11.extname(filePath).toLowerCase();
+  const base = path12.basename(filePath);
+  const ext = path12.extname(filePath).toLowerCase();
   if (base === ".env" || base.startsWith(".env.")) {
     return "dotenv";
   }
@@ -2778,7 +2790,7 @@ function detectFormat(filePath, content) {
   } catch {
   }
   try {
-    const parsed = YAML7.parse(content);
+    const parsed = YAML8.parse(content);
     if (parsed !== null && typeof parsed === "object" && !Array.isArray(parsed)) {
       return "yaml";
     }
@@ -2859,7 +2871,7 @@ function parseJson(content) {
 function parseYaml(content) {
   let parsed;
   try {
-    parsed = YAML7.parse(content);
+    parsed = YAML8.parse(content);
   } catch (err) {
     throw new Error(`Invalid YAML: ${err.message}`);
   }
@@ -2893,7 +2905,7 @@ function parseYaml(content) {
   }
   return { pairs, format: "yaml", skipped, warnings };
 }
-function parse8(content, format, filePath) {
+function parse9(content, format, filePath) {
   const resolved = format === "auto" ? detectFormat(filePath ?? "", content) : format;
   switch (resolved) {
     case "dotenv":
@@ -2922,11 +2934,11 @@ var ImportRunner = class {
    */
   async import(target, sourcePath, content, manifest, repoRoot, options) {
     const [ns, env] = target.split("/");
-    const filePath = path12.join(
+    const filePath = path13.join(
       repoRoot,
       manifest.file_pattern.replace("{namespace}", ns).replace("{environment}", env)
     );
-    const parsed = parse8(content, options.format ?? "auto", sourcePath ?? "");
+    const parsed = parse9(content, options.format ?? "auto", sourcePath ?? "");
     let candidates = Object.entries(parsed.pairs);
     if (options.prefix) {
       const prefix = options.prefix;
@@ -2980,9 +2992,8 @@ var ImportRunner = class {
 };
 
 // src/recipients/index.ts
-import * as fs12 from "fs";
-import * as path13 from "path";
-import * as YAML8 from "yaml";
+import * as fs13 from "fs";
+import * as path14 from "path";
 function parseRecipientEntry(entry) {
   if (typeof entry === "string") {
     return { key: entry };
@@ -3003,15 +3014,6 @@ function toRecipient(entry) {
     ...entry.label ? { label: entry.label } : {}
   };
 }
-function readManifestYaml(repoRoot) {
-  const manifestPath = path13.join(repoRoot, CLEF_MANIFEST_FILENAME);
-  const raw = fs12.readFileSync(manifestPath, "utf-8");
-  return YAML8.parse(raw);
-}
-function writeManifestYaml(repoRoot, doc) {
-  const manifestPath = path13.join(repoRoot, CLEF_MANIFEST_FILENAME);
-  fs12.writeFileSync(manifestPath, YAML8.stringify(doc), "utf-8");
-}
 function getRecipientsArray(doc) {
   const sops = doc.sops;
   if (!sops) return [];
@@ -3110,8 +3112,8 @@ var RecipientManager = class {
     if (currentKeys.includes(normalizedKey)) {
       throw new Error(`Recipient '${keyPreview(normalizedKey)}' is already present.`);
     }
-    const manifestPath = path13.join(repoRoot, CLEF_MANIFEST_FILENAME);
-    const manifestBackup = fs12.readFileSync(manifestPath, "utf-8");
+    const manifestPath = path14.join(repoRoot, CLEF_MANIFEST_FILENAME);
+    const manifestBackup = fs13.readFileSync(manifestPath, "utf-8");
     const recipients = environment ? ensureEnvironmentRecipientsArray(doc, environment) : ensureRecipientsArray(doc);
     if (label) {
       recipients.push({ key: normalizedKey, label });
@@ -3126,16 +3128,16 @@ var RecipientManager = class {
     const fileBackups = /* @__PURE__ */ new Map();
     for (const cell of cells) {
       try {
-        fileBackups.set(cell.filePath, fs12.readFileSync(cell.filePath, "utf-8"));
+        fileBackups.set(cell.filePath, fs13.readFileSync(cell.filePath, "utf-8"));
         await this.encryption.addRecipient(cell.filePath, normalizedKey);
         reEncryptedFiles.push(cell.filePath);
       } catch {
         failedFiles.push(cell.filePath);
-        fs12.writeFileSync(manifestPath, manifestBackup, "utf-8");
+        fs13.writeFileSync(manifestPath, manifestBackup, "utf-8");
         for (const reEncryptedFile of reEncryptedFiles) {
           const backup = fileBackups.get(reEncryptedFile);
           if (backup) {
-            fs12.writeFileSync(reEncryptedFile, backup, "utf-8");
+            fs13.writeFileSync(reEncryptedFile, backup, "utf-8");
           }
         }
         const restoredDoc = readManifestYaml(repoRoot);
@@ -3188,8 +3190,8 @@ var RecipientManager = class {
       throw new Error(`Recipient '${keyPreview(trimmedKey)}' is not in the manifest.`);
     }
     const removedEntry = parsed[matchIndex];
-    const manifestPath = path13.join(repoRoot, CLEF_MANIFEST_FILENAME);
-    const manifestBackup = fs12.readFileSync(manifestPath, "utf-8");
+    const manifestPath = path14.join(repoRoot, CLEF_MANIFEST_FILENAME);
+    const manifestBackup = fs13.readFileSync(manifestPath, "utf-8");
     const recipients = environment ? ensureEnvironmentRecipientsArray(doc, environment) : ensureRecipientsArray(doc);
     recipients.splice(matchIndex, 1);
     writeManifestYaml(repoRoot, doc);
@@ -3200,16 +3202,16 @@ var RecipientManager = class {
     const fileBackups = /* @__PURE__ */ new Map();
     for (const cell of cells) {
       try {
-        fileBackups.set(cell.filePath, fs12.readFileSync(cell.filePath, "utf-8"));
+        fileBackups.set(cell.filePath, fs13.readFileSync(cell.filePath, "utf-8"));
         await this.encryption.removeRecipient(cell.filePath, trimmedKey);
         reEncryptedFiles.push(cell.filePath);
       } catch {
         failedFiles.push(cell.filePath);
-        fs12.writeFileSync(manifestPath, manifestBackup, "utf-8");
+        fs13.writeFileSync(manifestPath, manifestBackup, "utf-8");
         for (const reEncryptedFile of reEncryptedFiles) {
           const backup = fileBackups.get(reEncryptedFile);
           if (backup) {
-            fs12.writeFileSync(reEncryptedFile, backup, "utf-8");
+            fs13.writeFileSync(reEncryptedFile, backup, "utf-8");
           }
         }
         const restoredDoc = readManifestYaml(repoRoot);
@@ -3243,19 +3245,19 @@ var RecipientManager = class {
 };
 
 // src/recipients/requests.ts
-import * as fs13 from "fs";
-import * as path14 from "path";
+import * as fs14 from "fs";
+import * as path15 from "path";
 import * as YAML9 from "yaml";
 var REQUESTS_FILENAME = ".clef-requests.yaml";
 var HEADER_COMMENT2 = "# Pending recipient access requests. Approve with: clef recipients approve <label>\n";
 function requestsFilePath(repoRoot) {
-  return path14.join(repoRoot, REQUESTS_FILENAME);
+  return path15.join(repoRoot, REQUESTS_FILENAME);
 }
 function loadRequests(repoRoot) {
   const filePath = requestsFilePath(repoRoot);
   try {
-    if (!fs13.existsSync(filePath)) return [];
-    const content = fs13.readFileSync(filePath, "utf-8");
+    if (!fs14.existsSync(filePath)) return [];
+    const content = fs14.readFileSync(filePath, "utf-8");
     const parsed = YAML9.parse(content);
     if (!parsed || !Array.isArray(parsed.requests)) return [];
     return parsed.requests.map((r) => ({
@@ -3272,7 +3274,7 @@ function saveRequests(repoRoot, requests) {
   const filePath = requestsFilePath(repoRoot);
   if (requests.length === 0) {
     try {
-      fs13.unlinkSync(filePath);
+      fs14.unlinkSync(filePath);
     } catch {
     }
     return;
@@ -3288,7 +3290,7 @@ function saveRequests(repoRoot, requests) {
       return raw;
     })
   };
-  fs13.writeFileSync(filePath, HEADER_COMMENT2 + YAML9.stringify(data), "utf-8");
+  fs14.writeFileSync(filePath, HEADER_COMMENT2 + YAML9.stringify(data), "utf-8");
 }
 function upsertRequest(repoRoot, key, label, environment) {
   const requests = loadRequests(repoRoot);
@@ -3324,7 +3326,7 @@ function findInList(requests, identifier) {
 }
 
 // src/drift/detector.ts
-import * as path15 from "path";
+import * as path16 from "path";
 var DriftDetector = class {
   parser = new ManifestParser();
   matrix = new MatrixManager();
@@ -3337,8 +3339,8 @@ var DriftDetector = class {
    * @returns Drift result with any issues found.
    */
   detect(localRoot, remoteRoot, namespaceFilter) {
-    const localManifest = this.parser.parse(path15.join(localRoot, CLEF_MANIFEST_FILENAME));
-    const remoteManifest = this.parser.parse(path15.join(remoteRoot, CLEF_MANIFEST_FILENAME));
+    const localManifest = this.parser.parse(path16.join(localRoot, CLEF_MANIFEST_FILENAME));
+    const remoteManifest = this.parser.parse(path16.join(remoteRoot, CLEF_MANIFEST_FILENAME));
     const localCells = this.matrix.resolveMatrix(localManifest, localRoot);
     const remoteCells = this.matrix.resolveMatrix(remoteManifest, remoteRoot);
     const localEnvNames = localManifest.environments.map((e) => e.name);
@@ -3402,7 +3404,7 @@ var DriftDetector = class {
 };
 
 // src/report/generator.ts
-import * as path16 from "path";
+import * as path17 from "path";
 
 // src/report/sanitizer.ts
 var ReportSanitizer = class {
@@ -3558,7 +3560,7 @@ var ReportGenerator = class {
     let manifest = null;
     try {
       const parser = new ManifestParser();
-      manifest = parser.parse(path16.join(repoRoot, "clef.yaml"));
+      manifest = parser.parse(path17.join(repoRoot, "clef.yaml"));
     } catch {
       const emptyManifest = {
         manifestVersion: 0,
@@ -4036,9 +4038,9 @@ var SopsMergeDriver = class {
 };
 
 // src/service-identity/manager.ts
-import * as fs14 from "fs";
+import * as fs15 from "fs";
 import * as os from "os";
-import * as path17 from "path";
+import * as path18 from "path";
 import * as YAML10 from "yaml";
 var PartialRotationError = class extends Error {
   constructor(message, rotatedKeys) {
@@ -4090,8 +4092,8 @@ var ServiceIdentityManager = class {
       environments
     };
     await this.registerRecipients(definition, manifest, repoRoot);
-    const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
-    const raw = fs14.readFileSync(manifestPath, "utf-8");
+    const manifestPath = path18.join(repoRoot, CLEF_MANIFEST_FILENAME);
+    const raw = fs15.readFileSync(manifestPath, "utf-8");
     const doc = YAML10.parse(raw);
     if (!Array.isArray(doc.service_identities)) {
       doc.service_identities = [];
@@ -4102,13 +4104,13 @@ var ServiceIdentityManager = class {
       namespaces,
       environments
     });
-    const tmpCreate = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
+    const tmpCreate = path18.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
     try {
-      fs14.writeFileSync(tmpCreate, YAML10.stringify(doc), "utf-8");
-      fs14.renameSync(tmpCreate, manifestPath);
+      fs15.writeFileSync(tmpCreate, YAML10.stringify(doc), "utf-8");
+      fs15.renameSync(tmpCreate, manifestPath);
     } finally {
       try {
-        fs14.unlinkSync(tmpCreate);
+        fs15.unlinkSync(tmpCreate);
       } catch {
       }
     }
@@ -4146,8 +4148,8 @@ var ServiceIdentityManager = class {
       } catch {
       }
     }
-    const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
-    const raw = fs14.readFileSync(manifestPath, "utf-8");
+    const manifestPath = path18.join(repoRoot, CLEF_MANIFEST_FILENAME);
+    const raw = fs15.readFileSync(manifestPath, "utf-8");
     const doc = YAML10.parse(raw);
     const identities = doc.service_identities;
     if (Array.isArray(identities)) {
@@ -4155,13 +4157,13 @@ var ServiceIdentityManager = class {
         (si) => si.name !== name
       );
     }
-    const tmp = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
+    const tmp = path18.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
     try {
-      fs14.writeFileSync(tmp, YAML10.stringify(doc), "utf-8");
-      fs14.renameSync(tmp, manifestPath);
+      fs15.writeFileSync(tmp, YAML10.stringify(doc), "utf-8");
+      fs15.renameSync(tmp, manifestPath);
     } finally {
       try {
-        fs14.unlinkSync(tmp);
+        fs15.unlinkSync(tmp);
       } catch {
       }
     }
@@ -4176,8 +4178,8 @@ var ServiceIdentityManager = class {
     if (!identity) {
       throw new Error(`Service identity '${name}' not found.`);
     }
-    const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
-    const raw = fs14.readFileSync(manifestPath, "utf-8");
+    const manifestPath = path18.join(repoRoot, CLEF_MANIFEST_FILENAME);
+    const raw = fs15.readFileSync(manifestPath, "utf-8");
     const doc = YAML10.parse(raw);
     const identities = doc.service_identities;
     const siDoc = identities.find((si) => si.name === name);
@@ -4203,13 +4205,13 @@ var ServiceIdentityManager = class {
       envs[envName] = { kms: kmsConfig };
       identity.environments[envName] = { kms: kmsConfig };
     }
-    const tmp = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
+    const tmp = path18.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
     try {
-      fs14.writeFileSync(tmp, YAML10.stringify(doc), "utf-8");
-      fs14.renameSync(tmp, manifestPath);
+      fs15.writeFileSync(tmp, YAML10.stringify(doc), "utf-8");
+      fs15.renameSync(tmp, manifestPath);
     } finally {
       try {
-        fs14.unlinkSync(tmp);
+        fs15.unlinkSync(tmp);
       } catch {
       }
     }
@@ -4245,8 +4247,8 @@ var ServiceIdentityManager = class {
     if (!identity) {
       throw new Error(`Service identity '${name}' not found.`);
     }
-    const manifestPath = path17.join(repoRoot, CLEF_MANIFEST_FILENAME);
-    const raw = fs14.readFileSync(manifestPath, "utf-8");
+    const manifestPath = path18.join(repoRoot, CLEF_MANIFEST_FILENAME);
+    const raw = fs15.readFileSync(manifestPath, "utf-8");
     const doc = YAML10.parse(raw);
     const identities = doc.service_identities;
     const siDoc = identities.find((si) => si.name === name);
@@ -4300,13 +4302,13 @@ var ServiceIdentityManager = class {
       }
       throw err;
     }
-    const tmpRotate = path17.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
+    const tmpRotate = path18.join(os.tmpdir(), `clef-manifest-${process.pid}-${Date.now()}.tmp`);
     try {
-      fs14.writeFileSync(tmpRotate, YAML10.stringify(doc), "utf-8");
-      fs14.renameSync(tmpRotate, manifestPath);
+      fs15.writeFileSync(tmpRotate, YAML10.stringify(doc), "utf-8");
+      fs15.renameSync(tmpRotate, manifestPath);
     } finally {
       try {
-        fs14.unlinkSync(tmpRotate);
+        fs15.unlinkSync(tmpRotate);
       } catch {
       }
     }
@@ -4427,8 +4429,8 @@ async function resolveIdentitySecrets(identityName, environment, manifest, repoR
 }
 
 // src/artifact/packer.ts
-import * as fs15 from "fs";
-import * as path18 from "path";
+import * as fs16 from "fs";
+import * as path19 from "path";
 import * as crypto3 from "crypto";
 
 // src/artifact/signer.ts
@@ -4603,9 +4605,9 @@ var ArtifactPacker = class {
         keys: Object.keys(resolved.values)
       };
     }
-    const outputDir = path18.dirname(config.outputPath);
-    if (!fs15.existsSync(outputDir)) {
-      fs15.mkdirSync(outputDir, { recursive: true });
+    const outputDir = path19.dirname(config.outputPath);
+    if (!fs16.existsSync(outputDir)) {
+      fs16.mkdirSync(outputDir, { recursive: true });
     }
     if (config.ttl && config.ttl > 0) {
       artifact.expiresAt = new Date(Date.now() + config.ttl * 1e3).toISOString();
@@ -4624,8 +4626,8 @@ var ArtifactPacker = class {
     }
     const json = JSON.stringify(artifact, null, 2);
     const tmpOutput = `${config.outputPath}.tmp.${process.pid}`;
-    fs15.writeFileSync(tmpOutput, json, "utf-8");
-    fs15.renameSync(tmpOutput, config.outputPath);
+    fs16.writeFileSync(tmpOutput, json, "utf-8");
+    fs16.renameSync(tmpOutput, config.outputPath);
     return {
       outputPath: config.outputPath,
       namespaceCount: resolved.identity.namespaces.length,
@@ -4638,8 +4640,215 @@ var ArtifactPacker = class {
 
 // src/kms/types.ts
 var VALID_KMS_PROVIDERS = ["aws", "gcp", "azure"];
+
+// src/migration/backend.ts
+import * as fs17 from "fs";
+import * as path20 from "path";
+import * as YAML11 from "yaml";
+var BACKEND_KEY_FIELDS = {
+  age: void 0,
+  awskms: "aws_kms_arn",
+  gcpkms: "gcp_kms_resource_id",
+  azurekv: "azure_kv_url",
+  pgp: "pgp_fingerprint"
+};
+var ALL_KEY_FIELDS = Object.values(BACKEND_KEY_FIELDS).filter(
+  (v) => v !== void 0
+);
+function metadataMatchesTarget(meta, target) {
+  if (meta.backend !== target.backend) return false;
+  if (!target.key) return true;
+  return meta.recipients.includes(target.key);
+}
+var BackendMigrator = class {
+  constructor(encryption, matrixManager) {
+    this.encryption = encryption;
+    this.matrixManager = matrixManager;
+  }
+  async migrate(manifest, repoRoot, options, callbacks, onProgress) {
+    const { target, environment, dryRun, skipVerify } = options;
+    if (environment) {
+      const env = manifest.environments.find((e) => e.name === environment);
+      if (!env) {
+        throw new Error(`Environment '${environment}' not found in manifest.`);
+      }
+    }
+    const allCells = this.matrixManager.resolveMatrix(manifest, repoRoot).filter((c) => c.exists);
+    const targetCells = environment ? allCells.filter((c) => c.environment === environment) : allCells;
+    if (targetCells.length === 0) {
+      return {
+        migratedFiles: [],
+        skippedFiles: [],
+        rolledBack: false,
+        verifiedFiles: [],
+        warnings: ["No encrypted files found to migrate."]
+      };
+    }
+    const toMigrate = [];
+    const skippedFiles = [];
+    for (const cell of targetCells) {
+      const meta = await this.encryption.getMetadata(cell.filePath);
+      if (metadataMatchesTarget(meta, target)) {
+        skippedFiles.push(cell.filePath);
+        onProgress?.({
+          type: "skip",
+          file: cell.filePath,
+          message: `${cell.namespace}/${cell.environment}: already on ${target.backend}, skipping`
+        });
+      } else {
+        toMigrate.push(cell);
+      }
+    }
+    if (toMigrate.length === 0) {
+      return {
+        migratedFiles: [],
+        skippedFiles,
+        rolledBack: false,
+        verifiedFiles: [],
+        warnings: ["All files already use the target backend and key. Nothing to migrate."]
+      };
+    }
+    if (dryRun) {
+      const warnings2 = [];
+      for (const cell of toMigrate) {
+        onProgress?.({
+          type: "info",
+          file: cell.filePath,
+          message: `Would migrate ${cell.namespace}/${cell.environment} to ${target.backend}`
+        });
+      }
+      if (environment) {
+        warnings2.push(
+          `Would add per-environment backend override for '${environment}' \u2192 ${target.backend}`
+        );
+      } else {
+        warnings2.push(`Would update global default_backend \u2192 ${target.backend}`);
+      }
+      this.checkAgeRecipientsWarning(manifest, target, environment, warnings2);
+      return {
+        migratedFiles: [],
+        skippedFiles,
+        rolledBack: false,
+        verifiedFiles: [],
+        warnings: warnings2
+      };
+    }
+    const manifestPath = path20.join(repoRoot, CLEF_MANIFEST_FILENAME);
+    const manifestBackup = fs17.readFileSync(manifestPath, "utf-8");
+    const sopsYamlPath = path20.join(repoRoot, ".sops.yaml");
+    const sopsYamlBackup = fs17.existsSync(sopsYamlPath) ? fs17.readFileSync(sopsYamlPath, "utf-8") : void 0;
+    const fileBackups = /* @__PURE__ */ new Map();
+    const doc = readManifestYaml(repoRoot);
+    this.updateManifestDoc(doc, target, environment);
+    writeManifestYaml(repoRoot, doc);
+    const updatedManifest = YAML11.parse(YAML11.stringify(doc));
+    callbacks.regenerateSopsConfig();
+    const migratedFiles = [];
+    for (const cell of toMigrate) {
+      try {
+        fileBackups.set(cell.filePath, fs17.readFileSync(cell.filePath, "utf-8"));
+        onProgress?.({
+          type: "migrate",
+          file: cell.filePath,
+          message: `Migrating ${cell.namespace}/${cell.environment}...`
+        });
+        const decrypted = await this.encryption.decrypt(cell.filePath);
+        await this.encryption.encrypt(
+          cell.filePath,
+          decrypted.values,
+          updatedManifest,
+          cell.environment
+        );
+        migratedFiles.push(cell.filePath);
+      } catch (err) {
+        this.rollback(manifestPath, manifestBackup, sopsYamlPath, sopsYamlBackup, fileBackups);
+        const errorMsg = err instanceof Error ? err.message : String(err);
+        onProgress?.({
+          type: "warn",
+          file: cell.filePath,
+          message: `Migration failed: ${errorMsg}. All changes rolled back.`
+        });
+        return {
+          migratedFiles: [],
+          skippedFiles,
+          rolledBack: true,
+          error: `Failed on ${cell.namespace}/${cell.environment}: ${errorMsg}`,
+          verifiedFiles: [],
+          warnings: ["All changes have been rolled back."]
+        };
+      }
+    }
+    const verifiedFiles = [];
+    const warnings = [];
+    if (!skipVerify) {
+      for (const cell of toMigrate) {
+        try {
+          onProgress?.({
+            type: "verify",
+            file: cell.filePath,
+            message: `Verifying ${cell.namespace}/${cell.environment}...`
+          });
+          await this.encryption.decrypt(cell.filePath);
+          verifiedFiles.push(cell.filePath);
+        } catch (err) {
+          const errorMsg = err instanceof Error ? err.message : String(err);
+          warnings.push(
+            `Verification failed for ${cell.namespace}/${cell.environment}: ${errorMsg}`
+          );
+        }
+      }
+    }
+    this.checkAgeRecipientsWarning(manifest, target, environment, warnings);
+    return { migratedFiles, skippedFiles, rolledBack: false, verifiedFiles, warnings };
+  }
+  // ── Private helpers ──────────────────────────────────────────────────
+  updateManifestDoc(doc, target, environment) {
+    const keyField = BACKEND_KEY_FIELDS[target.backend];
+    if (environment) {
+      const environments = doc.environments;
+      const envDoc = environments.find(
+        (e) => e.name === environment
+      );
+      const sopsOverride = { backend: target.backend };
+      if (keyField && target.key) {
+        sopsOverride[keyField] = target.key;
+      }
+      envDoc.sops = sopsOverride;
+    } else {
+      const sops = doc.sops;
+      sops.default_backend = target.backend;
+      for (const field of ALL_KEY_FIELDS) {
+        delete sops[field];
+      }
+      if (keyField && target.key) {
+        sops[keyField] = target.key;
+      }
+    }
+  }
+  rollback(manifestPath, manifestBackup, sopsYamlPath, sopsYamlBackup, fileBackups) {
+    for (const [filePath, backup] of fileBackups) {
+      fs17.writeFileSync(filePath, backup, "utf-8");
+    }
+    if (sopsYamlBackup !== void 0) {
+      fs17.writeFileSync(sopsYamlPath, sopsYamlBackup, "utf-8");
+    } else if (fs17.existsSync(sopsYamlPath)) {
+      fs17.unlinkSync(sopsYamlPath);
+    }
+    fs17.writeFileSync(manifestPath, manifestBackup, "utf-8");
+  }
+  checkAgeRecipientsWarning(manifest, target, environment, warnings) {
+    if (target.backend === "age") return;
+    const hasRecipients = environment ? manifest.environments.find((e) => e.name === environment)?.recipients?.length : manifest.environments.some((e) => e.recipients?.length);
+    if (hasRecipients) {
+      warnings.push(
+        "Per-environment age recipients are no longer used for encryption on the migrated environments. Consider removing them from clef.yaml if they are no longer needed."
+      );
+    }
+  }
+};
 export {
   ArtifactPacker,
+  BackendMigrator,
   BulkOps,
   CLEF_MANIFEST_FILENAME,
   CLEF_REPORT_SCHEMA_VERSION,
@@ -4702,11 +4911,12 @@ export {
   markResolved,
   matchPatterns,
   metadataPath,
-  parse8 as parse,
+  parse9 as parse,
   parseDotenv,
   parseIgnoreContent,
   parseJson,
   parseYaml,
+  readManifestYaml,
   redactValue,
   removeRequest as removeAccessRequest,
   requestsFilePath,
@@ -4724,6 +4934,7 @@ export {
   signKms,
   upsertRequest,
   validateAgePublicKey,
-  verifySignature
+  verifySignature,
+  writeManifestYaml
 };
 //# sourceMappingURL=index.mjs.map